Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

Netflix To...er.exe

windows10-2004-x64

10

Netflix To...et.dll

windows10-2004-x64

1

Netflix To....0.dll

windows10-2004-x64

1

Netflix To...ip.dll

windows10-2004-x64

1

Netflix To...er.exe

windows10-2004-x64

8

Netflix To...et.dll

windows10-2004-x64

1

Netflix To....0.dll

windows10-2004-x64

1

Netflix To...ys.exe

windows10-2004-x64

10

Netflix To...le.dll

windows10-2004-x64

1

Netflix To...ER.exe

windows10-2004-x64

8

Netflix To...on.dll

windows10-2004-x64

1

Netflix To...cs.dll

windows10-2004-x64

1

Netflix To...le.dll

windows10-2004-x64

1

Netflix To...ip.dll

windows10-2004-x64

1

Netflix To...er.exe

windows10-2004-x64

8

Netflix To...et.dll

windows10-2004-x64

1

Netflix To...on.dll

windows10-2004-x64

1

Netflix To...rv.exe

windows10-2004-x64

1

Netflix To....0.dll

windows10-2004-x64

1

Netflix To...v2.exe

windows10-2004-x64

8

Netflix To...bo.dll

windows10-2004-x64

1

Netflix To...ip.dll

windows10-2004-x64

1

Netflix To...er.exe

windows10-2004-x64

8

Netflix To....0.dll

windows10-2004-x64

1

Netflix To...ck.exe

windows10-2004-x64

3

Netflix To...bo.dll

windows10-2004-x64

1

Netflix To...er.exe

windows10-2004-x64

1

Netflix To...er.dll

windows10-2004-x64

1

Netflix To...et.dll

windows10-2004-x64

1

Netflix To...UI.dll

windows10-2004-x64

1

Netflix To...et.dll

windows10-2004-x64

1

Netflix To...ar.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2024, 22:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Netflix Tools PACK/NetFlix Checker by xRisky v2/NetFlix Checker by xRisky v2.exe

  • Size

    187KB

  • MD5

    a936e1c25e761f0dac98e9d42ad28637

  • SHA1

    1c9168c664a0bf33be15aa8311f803f7ebe865cb

  • SHA256

    cc93d5cb201a68dd673a5cf55ac97723b226fb670a73df2d29548bf25245c2a4

  • SHA512

    91ab6da7dcfe8639eb0a9c743e6e10ad6b2b30b5ef99e2b779402983a5485414e84f91539b18b93ff528517402ad24538f3ad929b6a583907b71dca1c631a636

  • SSDEEP

    1536:94l0gePQLjUDAbY1oCT/n9156ET5B61H7SRIRUnPYG+lB:94l0g5G93/6hRUgt

Score
8/10
discoveryexecutionpersistence

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exe
    "C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\NetFlix Checker by xRisky v2.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\Launcher.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4108
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1448
      • C:\Windows\IMF\Windows Services.exe
        "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\IMF\Secure System Shell.exe
          "C:\Windows\IMF\Secure System Shell.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:808
        • C:\Windows\IMF\Runtime Explorer.exe
          "C:\Windows\IMF\Runtime Explorer.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4912
    • C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\NetCheck.exe
      "C:\Users\Admin\AppData\Local\Temp\Netflix Tools PACK\NetFlix Checker by xRisky v2\debug\NetCheck.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:5080

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    209.205.72.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    209.205.72.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
  • flag-us
    DNS
    72.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    72.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    72.209.201.84.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    99.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    99.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    226.108.222.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    226.108.222.173.in-addr.arpa
    IN PTR
    Response
    226.108.222.173.in-addr.arpa
    IN PTR
    a173-222-108-226deploystaticakamaitechnologiescom
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    210.108.222.173.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    210.108.222.173.in-addr.arpa
    IN PTR
    Response
    210.108.222.173.in-addr.arpa
    IN PTR
    a173-222-108-210deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.178.89.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.178.89.13.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    330 B
     90 B
     5
    1

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    209.205.72.20.in-addr.arpa
    dns
    360 B
     158 B
     5
    1

    DNS Request

    209.205.72.20.in-addr.arpa

    DNS Request

    209.205.72.20.in-addr.arpa

    DNS Request

    209.205.72.20.in-addr.arpa

    DNS Request

    209.205.72.20.in-addr.arpa

    DNS Request

    209.205.72.20.in-addr.arpa

  • 8.8.8.8:53
    g.bing.com
    dns
    280 B
     5

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

    DNS Request

    g.bing.com

  • 8.8.8.8:53
    72.209.201.84.in-addr.arpa
    dns
    144 B
     132 B
     2
    1

    DNS Request

    72.209.201.84.in-addr.arpa

    DNS Request

    72.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    142 B
     157 B
     2
    1

    DNS Request

    4.159.190.20.in-addr.arpa

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
     144 B
     2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    99.209.201.84.in-addr.arpa
    dns
    72 B
     132 B
     1
    1

    DNS Request

    99.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    226.108.222.173.in-addr.arpa
    dns
    74 B
     141 B
     1
    1

    DNS Request

    226.108.222.173.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    210.108.222.173.in-addr.arpa
    dns
    74 B
     141 B
     1
    1

    DNS Request

    210.108.222.173.in-addr.arpa

  • 8.8.8.8:53
    26.178.89.13.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    26.178.89.13.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zdwavpcr.2kn.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\IMF\Runtime Explorer.exe
    Filesize

    144KB

    MD5

    5ea4ee24f01613f1bd403312c46b9ec9

    SHA1

    3d76201186437c8e0daba0ee37472fe3c4ef546d

    SHA256

    c81755fe990f1b023bf9b88eed4856c088755af050ea4627ed081a8203f03472

    SHA512

    73b0cc6d49db601b50a5c89b4b0f083a69efd6ff063edc03c93cac16c104173b8a1d172279e88f8a1b17b3b56f27a9fe6f207fde51729292cbacb272c75c8f53

    Download Submit

  • C:\Windows\IMF\Secure System Shell.exe
    Filesize

    45KB

    MD5

    7d0c7359e5b2daa5665d01afdc98cc00

    SHA1

    c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

    SHA256

    f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

    SHA512

    a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

    Download Submit

  • C:\Windows\IMF\Windows Services.exe
    Filesize

    46KB

    MD5

    ad0ce1302147fbdfecaec58480eb9cf9

    SHA1

    874efbc76e5f91bc1425a43ea19400340f98d42b

    SHA256

    2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

    SHA512

    adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

    Download Submit

  • memory/464-6-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/464-5-0x00000000050F0000-0x00000000050FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/464-4-0x0000000005110000-0x00000000051A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/464-7-0x0000000005350000-0x00000000053A6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/464-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/464-3-0x0000000005620000-0x0000000005BC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/464-2-0x0000000004FD0000-0x000000000506C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/464-1-0x0000000000620000-0x0000000000654000-memory.dmp

    Filesize

    208KB

    Download

  • memory/464-14-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/808-91-0x00000000005B0000-0x00000000005C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1448-86-0x0000000006B90000-0x0000000006BAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1448-34-0x00000000065A0000-0x00000000065BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1448-103-0x0000000007C10000-0x0000000007C18000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1448-102-0x0000000007C30000-0x0000000007C4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1448-19-0x0000000005680000-0x0000000005CA8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1448-101-0x0000000007B30000-0x0000000007B44000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1448-23-0x0000000005E90000-0x0000000005EF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1448-22-0x0000000005E20000-0x0000000005E86000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1448-21-0x0000000005640000-0x0000000005662000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1448-100-0x0000000007B20000-0x0000000007B2E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1448-33-0x0000000005F80000-0x00000000062D4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1448-88-0x00000000077B0000-0x0000000007853000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1448-35-0x00000000065E0000-0x000000000662C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1448-99-0x0000000007AF0000-0x0000000007B01000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1448-98-0x0000000007B70000-0x0000000007C06000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1448-97-0x0000000007960000-0x000000000796A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1448-96-0x00000000078F0000-0x000000000790A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1448-16-0x0000000005010000-0x0000000005046000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1448-76-0x000000006FD60000-0x000000006FDAC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1448-95-0x0000000007F30000-0x00000000085AA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1448-75-0x0000000007570000-0x00000000075A2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1596-73-0x0000000000CE0000-0x0000000000CF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4108-58-0x0000000006340000-0x000000000635E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4108-9-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4108-8-0x0000000000750000-0x0000000000764000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4108-74-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4108-10-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4108-57-0x0000000006360000-0x00000000063D6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4108-11-0x0000000006700000-0x000000000677E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/4108-12-0x0000000074F00000-0x00000000756B0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5080-15-0x0000000000A60000-0x000000000109C000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/5080-20-0x0000000006DE0000-0x000000000730C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/5080-18-0x0000000005CF0000-0x0000000005D44000-memory.dmp

    Filesize

    336KB

    Download

  • memory/5080-17-0x0000000005770000-0x0000000005790000-memory.dmp

    Filesize

    128KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.