Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2025, 03:52
Static task
static1
Behavioral task
behavioral1
Sample
834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9.msi
Resource
win7-20250207-en
Behavioral task
behavioral2
Sample
834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9.msi
Resource
win10v2004-20250217-en
General
-
Target
834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9.msi
-
Size
5.3MB
-
MD5
b6a96e71ad5c0f9b96b2f1d7021e4e09
-
SHA1
73eabaad78c61de825ed0c8bec9e3b81f5568dbd
-
SHA256
834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9
-
SHA512
bff28c1b4b7e3ca6dbfdf44203bb06c0872e5b2e29eceea39f1669afc783527be40460d73d50ea1a9cee9583c8fd538f5b14f3481aa42cca1e0bef9da9c8a800
-
SSDEEP
98304:/Hrk3bVI2OzboNeQBWkl43yRev9CcTnuKLFKcwD8OfL4vWmCP82wajDOOInENX:jsq5zboN6F9BLuuKcxOfL4vW225jDOO/
Malware Config
Extracted
bumblebee
10111
-
dga
vca3utda017.click
knvop5puf3w.click
fuoor4i9488.click
e27y0btovqa.click
4td54jwr0zo.click
8u1tf686x8r.click
7rbvv9nr7ux.click
0qlcz1igan7.click
1ywg4j0oomt.click
uk2cx2bz9oh.click
mmh6zjh9rws.click
tyv7socu189.click
nu1ry3ywid2.click
qbjc9488vee.click
v8tarf4uflp.click
nubhcl6uvd6.click
pj2h7xw21zx.click
n22xrd1xrto.click
1age5rpmnbq.click
s7ebb7t79vn.click
t8vxfebri9r.click
77ch3dlvcuc.click
4k2znm7tg08.click
ie4jzevdaka.click
pweekbw7x9i.click
dg4j9l1r2ay.click
6linr1ga29p.click
ae4fgatomcn.click
i0rwy7k6rh8.click
zrvvmchlzab.click
ld6w0ra2n5v.click
0iy3kqu94si.click
a2h8x65mhmb.click
n8sbjfep5yd.click
mxnz6y6v6it.click
tj17eq1yv9p.click
ih1fzdij3lw.click
trjwgh2g6wj.click
uecqk6x4j8t.click
b2fqqlxq123.click
efu7sqzes6x.click
7avrr81op36.click
yn20wnog91u.click
gypx84c0psc.click
tiitp659yg7.click
xdfbgydlc05.click
zpz5jkazftt.click
w5o0gvbo6gz.click
u4fhmu65x9q.click
mwu8dx0r8l6.click
hwcnz0dhias.click
zj7zlpwpgk2.click
es6fj45yryo.click
vfhfp5pv5jq.click
n6uv59241o8.click
vxg5zt80xk1.click
f8vdyr368rr.click
u0hs21xo0oj.click
lk34zp37aa8.click
qbn8ng1n4y6.click
anwx8vvu2tn.click
amwy9i160dz.click
mhd2v73drk9.click
e64hgph4fpf.click
gisulurnufk.click
wsswivqef2j.click
tay4gok6gyf.click
2wbw7n1xihz.click
otuk9puv3dy.click
8ra21ma0ldn.click
6wo9w60mg4p.click
119qwh18wha.click
88crnaq8rxq.click
l52j1936qx7.click
0ffmtln7j1y.click
c2h9uj4rq5j.click
99e0wxgydv3.click
8x4zwderijh.click
aoh4pifqjfw.click
pfga45i3mid.click
6u8p3dxuusp.click
73wkg93t6yb.click
9d2285jpz2p.click
q8h20fokn7m.click
sjq07uvdff3.click
kmm14f207e0.click
96l0jwdfwsf.click
5t86twnzcmf.click
jgyffzjilwz.click
gb52rzeqsel.click
jsnwvpzo96y.click
5ijbx337vd2.click
e107j7ub2do.click
2plnxces98r.click
6r3ypuoxg63.click
kmmfsxcqiyv.click
2aecwymugah.click
s38tusi2x3c.click
lznvqhcqtqs.click
wnmatvjf2h9.click
-
dga_seed
7827833623176771557
-
domain_length
11
-
num_dga_domains
300
-
port
443
-
tld
.click
Signatures
-
Bumblebee family
-
Blocklisted process makes network request 5 IoCs
flow pid Process 40 4916 rundll32.exe 43 4340 MsiExec.exe 45 4340 MsiExec.exe 47 4340 MsiExec.exe 51 2956 rundll32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: ZipItNow.exe File opened (read-only) \??\X: ZipItNow.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: ZipItNow.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: ZipItNow.exe File opened (read-only) \??\Q: ZipItNow.exe File opened (read-only) \??\Z: ZipItNow.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: ZipItNow.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: ZipItNow.exe File opened (read-only) \??\K: ZipItNow.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: ZipItNow.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: ZipItNow.exe File opened (read-only) \??\W: ZipItNow.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: ZipItNow.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: ZipItNow.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: ZipItNow.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 41 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e57bb8f.msi msiexec.exe File created C:\Windows\Installer\e57bb92.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC526.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC5F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\SFXCAA4A5F9758040DD89A131FF3F7322FE69\CustomAction.config rundll32.exe File created C:\Windows\Installer\SourceHash{A5863F7C-1873-400B-A58B-82D197645A40} msiexec.exe File opened for modification C:\Windows\Installer\SFXCA05F746FD6648F6A8BD618D8EB7732833\Microsoft.Win32.TaskScheduler.dll rundll32.exe File opened for modification C:\Windows\Installer\SFXCAA4A5F9758040DD89A131FF3F7322FE69\Microsoft.Win32.TaskScheduler.resources.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC653.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\e57bb92.msi msiexec.exe File opened for modification C:\Windows\Installer\SFXCAA1C017F394423429D126033251881F2C\Microsoft.Win32.TaskScheduler.resources.dll rundll32.exe File opened for modification C:\Windows\Installer\SFXCAA1C017F394423429D126033251881F2C\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\SFXCA05F746FD6648F6A8BD618D8EB7732833\RequestSender.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC603.tmp msiexec.exe File opened for modification C:\Windows\Installer\SFXCAA4A5F9758040DD89A131FF3F7322FE69\Microsoft.Win32.TaskScheduler.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBC7A.tmp msiexec.exe File opened for modification C:\Windows\Installer\SFXCAA4A5F9758040DD89A131FF3F7322FE69\WixToolset.Dtf.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC80C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDB99.tmp msiexec.exe File opened for modification C:\Windows\Installer\SFXCA05F746FD6648F6A8BD618D8EB7732833\WixToolset.Dtf.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\SFXCA05F746FD6648F6A8BD618D8EB7732833\CustomAction.config rundll32.exe File created C:\Windows\Installer\e57bb8f.msi msiexec.exe File created C:\Windows\Installer\e57bb91.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC527.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC6C2.tmp msiexec.exe File opened for modification C:\Windows\Installer\SFXCAA1C017F394423429D126033251881F2C\Microsoft.Win32.TaskScheduler.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID9C3.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC633.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC711.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC88A.tmp msiexec.exe File opened for modification C:\Windows\Installer\SFXCAA1C017F394423429D126033251881F2C\RequestSender.dll rundll32.exe File opened for modification C:\Windows\Installer\SFXCAA1C017F394423429D126033251881F2C\WixToolset.Dtf.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e57bb96.msi msiexec.exe File created C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756} msiexec.exe File opened for modification C:\Windows\Installer\SFXCAA4A5F9758040DD89A131FF3F7322FE69\RequestSender.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC966.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICD6E.tmp msiexec.exe File opened for modification C:\Windows\Installer\SFXCA05F746FD6648F6A8BD618D8EB7732833\Microsoft.Win32.TaskScheduler.resources.dll rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 3192 ZipItNow.exe -
Loads dropped DLL 35 IoCs
pid Process 1608 rundll32.exe 3192 ZipItNow.exe 3192 ZipItNow.exe 368 MsiExec.exe 4340 MsiExec.exe 4340 MsiExec.exe 4340 MsiExec.exe 4916 rundll32.exe 4340 MsiExec.exe 4340 MsiExec.exe 4340 MsiExec.exe 3192 ZipItNow.exe 4916 rundll32.exe 4916 rundll32.exe 4340 MsiExec.exe 4916 rundll32.exe 4916 rundll32.exe 4340 MsiExec.exe 4340 MsiExec.exe 4340 MsiExec.exe 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 4340 MsiExec.exe 4340 MsiExec.exe 4340 MsiExec.exe 2956 rundll32.exe 2956 rundll32.exe 2956 rundll32.exe 2956 rundll32.exe 2956 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4820 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZipItNow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000622eb924184734490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000622eb9240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900622eb924000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d622eb924000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000622eb92400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe 1356 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4820 msiexec.exe Token: SeIncreaseQuotaPrivilege 4820 msiexec.exe Token: SeSecurityPrivilege 1356 msiexec.exe Token: SeCreateTokenPrivilege 4820 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4820 msiexec.exe Token: SeLockMemoryPrivilege 4820 msiexec.exe Token: SeIncreaseQuotaPrivilege 4820 msiexec.exe Token: SeMachineAccountPrivilege 4820 msiexec.exe Token: SeTcbPrivilege 4820 msiexec.exe Token: SeSecurityPrivilege 4820 msiexec.exe Token: SeTakeOwnershipPrivilege 4820 msiexec.exe Token: SeLoadDriverPrivilege 4820 msiexec.exe Token: SeSystemProfilePrivilege 4820 msiexec.exe Token: SeSystemtimePrivilege 4820 msiexec.exe Token: SeProfSingleProcessPrivilege 4820 msiexec.exe Token: SeIncBasePriorityPrivilege 4820 msiexec.exe Token: SeCreatePagefilePrivilege 4820 msiexec.exe Token: SeCreatePermanentPrivilege 4820 msiexec.exe Token: SeBackupPrivilege 4820 msiexec.exe Token: SeRestorePrivilege 4820 msiexec.exe Token: SeShutdownPrivilege 4820 msiexec.exe Token: SeDebugPrivilege 4820 msiexec.exe Token: SeAuditPrivilege 4820 msiexec.exe Token: SeSystemEnvironmentPrivilege 4820 msiexec.exe Token: SeChangeNotifyPrivilege 4820 msiexec.exe Token: SeRemoteShutdownPrivilege 4820 msiexec.exe Token: SeUndockPrivilege 4820 msiexec.exe Token: SeSyncAgentPrivilege 4820 msiexec.exe Token: SeEnableDelegationPrivilege 4820 msiexec.exe Token: SeManageVolumePrivilege 4820 msiexec.exe Token: SeImpersonatePrivilege 4820 msiexec.exe Token: SeCreateGlobalPrivilege 4820 msiexec.exe Token: SeBackupPrivilege 2752 vssvc.exe Token: SeRestorePrivilege 2752 vssvc.exe Token: SeAuditPrivilege 2752 vssvc.exe Token: SeBackupPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe Token: SeTakeOwnershipPrivilege 1356 msiexec.exe Token: SeRestorePrivilege 1356 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 4820 msiexec.exe 4820 msiexec.exe 3192 ZipItNow.exe 4912 msiexec.exe 4912 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1356 wrote to memory of 2448 1356 msiexec.exe 100 PID 1356 wrote to memory of 2448 1356 msiexec.exe 100 PID 1356 wrote to memory of 1608 1356 msiexec.exe 102 PID 1356 wrote to memory of 1608 1356 msiexec.exe 102 PID 1356 wrote to memory of 3192 1356 msiexec.exe 103 PID 1356 wrote to memory of 3192 1356 msiexec.exe 103 PID 1356 wrote to memory of 3192 1356 msiexec.exe 103 PID 1356 wrote to memory of 368 1356 msiexec.exe 104 PID 1356 wrote to memory of 368 1356 msiexec.exe 104 PID 1356 wrote to memory of 368 1356 msiexec.exe 104 PID 3192 wrote to memory of 4912 3192 ZipItNow.exe 105 PID 3192 wrote to memory of 4912 3192 ZipItNow.exe 105 PID 3192 wrote to memory of 4912 3192 ZipItNow.exe 105 PID 1356 wrote to memory of 4340 1356 msiexec.exe 106 PID 1356 wrote to memory of 4340 1356 msiexec.exe 106 PID 1356 wrote to memory of 4340 1356 msiexec.exe 106 PID 4340 wrote to memory of 4916 4340 MsiExec.exe 107 PID 4340 wrote to memory of 4916 4340 MsiExec.exe 107 PID 4340 wrote to memory of 4916 4340 MsiExec.exe 107 PID 4340 wrote to memory of 1652 4340 MsiExec.exe 108 PID 4340 wrote to memory of 1652 4340 MsiExec.exe 108 PID 4340 wrote to memory of 1652 4340 MsiExec.exe 108 PID 4340 wrote to memory of 2956 4340 MsiExec.exe 110 PID 4340 wrote to memory of 2956 4340 MsiExec.exe 110 PID 4340 wrote to memory of 2956 4340 MsiExec.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4820
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2448
-
-
C:\Windows\system32\rundll32.exe"rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.dll",DllRegisterServer2⤵
- Loads dropped DLL
PID:1608
-
-
C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe"C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe"2⤵
- Enumerates connected drives
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\ZipItNow.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741424508 " AI_EUIMSI=""3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:4912
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1668A8DAF5A895B6862807AACD6CA5E2 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:368
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A3C8A36530B96D859BB54ABCD26DE0162⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC526.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240633312 3 RequestSender!RequestSender.CustomActions.Start3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4916
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC966.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240634218 61 RequestSender!RequestSender.CustomActions.CreateScheduledTask3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1652
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIDB99.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240638906 1937 RequestSender!RequestSender.CustomActions.Finish3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5f6765ffe164002249c51ff90ea8b745b
SHA100b7162aae7fc5a1c4edbd38fa439239f7bdd586
SHA2565290a56049ee70b0b52ee7934e9ac9a0b7904ac9c87ef4796e7670f88426be90
SHA5123ca42daef8ed122151b3a25bea0814044f0261c32bb2c13d9d236b3e0ce356a0505e0015c964c161fded8480a89c97c225c7212260991b3e46c1cd06226c11bf
-
Filesize
817KB
MD50a13c2f3d905e3a62a611b7baea13a04
SHA1be7791940320a15c156d04fe0fa241226e0b4da9
SHA256e0432c4f2e169d5e58bdbd3626de3b865b1e2063618ee966914c3ab14b402b32
SHA5120a6d5038faca0fb93876a1418ddfb37d7224ad79818e6c728e02daa82cbee7cfe240a1bd4b3aa39c661a9518fb99d872902a2795a022e8abee742cfa6e6c9186
-
Filesize
847B
MD5f8ec7f563d06ccddddf6c96b8957e5c8
SHA173bdc49dcead32f8c29168645a0f080084132252
SHA25638ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed
SHA5128830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684
-
Filesize
2.1MB
MD5a4721159fba7ebdffe823468dc858288
SHA1ff1a9d6dc6b008ff69d6ed16b762ba399a92c60c
SHA2568c03d230f87215d048b58265d09fa256fd4c0088dc279da033854ddbf389c3e5
SHA512e2258457344a366518d5b697e97eb20c5923ef08eb8533ef9ef093bd401ee2e58105431b3a8b2ebdab61db4145e4b346ed534acf428a6f97289f801277de7a77
-
Filesize
4.7MB
MD5534cd01067c81867723338b17697ee32
SHA1a4e5a835909c7289a3372d58d80dc539309d6736
SHA256956713b1bca39dc306f5402815f1258cfe4279c85c42758c0e107e5f8ee5576a
SHA512df259beb1b0b30b24e02754f9da688092274c7ec7e775f8fd4b9bdfbb75a1be8f9107562568d6223fa9ee61e51f4d93f8bf9c6a83b47f1611f16a521bc5f8172
-
Filesize
386KB
MD572b1c6699ddc2baab105d32761285df2
SHA1fc85e9fb190f205e6752624a5231515c4ee4e155
SHA256bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97
SHA512cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170
-
Filesize
2.6MB
MD554f36f1b9118b35e2dbb2e0eb0c377ab
SHA174c4144ec0d694d2cd047d235444ae309fc2a3aa
SHA25639da510263e23e8b172f460f8946f0934eeff7c1bb8aeb2f92e4439fd6eea1b8
SHA512d51360bce9efa04208123df0e303c5364ad19b75fd2605ed21fe06f6e63f59c95d0595d4776292e6b0160b295873c1ce3dddf70c328fb2f85d4a83ba22efb22a
-
Filesize
1.6MB
MD5d68a0453311d9645436889d698dfd3bc
SHA140a614fe230373bb4c7e9d1791cf3c1dcc56a966
SHA2565ac47d4b9de6a7a45202417bfbd65501ed227a02aeae19c8a5b4e902299ef1df
SHA512beda42b97063edd4be7d14342e965ce214c1228ac65fd81213614d1279e33ad230e5f77beaef000b05badb3cf32bcd72df73269e29422b9697c7900c5df5dc91
-
Filesize
517KB
MD54a2ee83f3ad69f81df42c4e87af013f8
SHA1c3f65d6aabfa419d510ea5aefe0ded17e2bdee73
SHA256941580cbad9e1c9e3e62c49a80ce2c7931ee4a931a00e36309b3b4d2f1c69907
SHA5126101578090fe05568308ada1f8b65950448bde47e7e37f8d0113d1c22a2262b5cac9dfd5800cc1121dae2be37a7d1ee64c398e417d5511af8952aabbd0100308
-
Filesize
206KB
MD59d45f2790dda55df2d99ef66dcb2019d
SHA1f2a369c1b82476e2e0641f95394dd4dee8223f01
SHA2569b7ff49f7e1d0a39826ec458c8004b20a65a4bd0592b083f38b01e2dbc2b510f
SHA5129bef561ec6908dcd7e75f5f63cff8b1ec73e9be2b4e4aa5602182cde18d691cc28259b980c87246c5d27b4284bc783fba44d92a202f77b15f3e65c89dd3aa069
-
Filesize
416KB
MD59d0601206bfe26161f88caf174a0771a
SHA1d0edc2cedaac22c56d740ee2631cd3b7c868c6bf
SHA25645608820ac1375e4490f0bb1b289745ef7183370f2411138f50a88d363f9cad0
SHA512ee1c60fbc45dc73b679d895b896ab0c056b640b279a52c1fac5e95181a7128f15ce88d7cc6f6105ef33c20b01eb9016452866387328b0cc7ed07bf5c6a3de9a1
-
Filesize
544KB
MD540117f705bff008c3d96a73162dad044
SHA12735813836f36b5de83a745c47628053a0f61f66
SHA25632211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad
SHA512eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4
-
Filesize
401KB
MD5ec4cd2159189ffa5d293a24e92964b6d
SHA1d16bbb7b4504afa4d70442e051e548372586b5d3
SHA2568a77ed5526ecf88b81844993b5c55bdf6e056aade9c8cb3e1fd89a3b4d41a780
SHA512099663cd0584dce7ec17322fcecef330341a711a1d6854f57eb852650ab8272b44708f18ebf6ca0e42b2ca0ed10ad99ea7729562de553353afb615604ea19101
-
Filesize
325KB
MD50616ea42b68a8f5f2f01bcd985bdcbc7
SHA188d6aae1f17b00f4391e0e7b17e98c494be73ba1
SHA256ea27c65491119eee5c8e87ce3d470783580db8fc5bd141c496768d7d0cce779a
SHA512ce4657908615c4837084c75d806c083b8f7e63965a2e7866b8c96de7c0278a0857235b74cd9443769968165db250eba042a5b05927febff5bb70bebb7dcbd814
-
Filesize
959B
MD5ee9a8381338b060d86c58e2415f481f3
SHA1200f3ed7c773f50c80644f3976e09e876f45993f
SHA2567e1096d6f39ebe04d6e38bc714983af05ed92cc2bb4d3365ed4c85e733cb145c
SHA51226b9108b9522574e08560bc45a6470f85ca149317bd763f3a357040e0f0e743fd7bfc05e0ce2d9fb52bf89e22c61d221ddf8a7163f5143848717ca3d56847ef1
-
Filesize
13KB
MD5208affd76ff5813c6ffd74fe02780953
SHA12edf070cbbd4031d470db0e68af7f36c7c68c3a3
SHA256a3f2df576e23e27904150abe24b4a03c7dfa2fb52bb847ab54e8b4cd0032103d
SHA5129bab13a330e00a62e20957e4508e7ef2cef00187783363fdcdb23ce257e48d3ceb4a9b830f6e1b6021ecabdcb3bb3d2852b8d898b32bc506d30e7848c7fff51f
-
Filesize
193KB
MD5ef8d5785ac8669f5fd54e22f52770e6b
SHA14c94ae7ef233be33a56c0a5d9b8e2211d5d5792c
SHA256a614884ea627da1925131ebf41e8ae202caeac0fe543b86384f5eb2bfaf1aa75
SHA512ab3b140bd6531f22e994606820e6511442c23d9015b1e1a38aaed43aa42ba29a996511151d0b3a383c05c2b11f670e52cdd7f507ad1a1ad8cebea57fb22ade5a
-
Filesize
5.3MB
MD5b6a96e71ad5c0f9b96b2f1d7021e4e09
SHA173eabaad78c61de825ed0c8bec9e3b81f5568dbd
SHA256834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9
SHA512bff28c1b4b7e3ca6dbfdf44203bb06c0872e5b2e29eceea39f1669afc783527be40460d73d50ea1a9cee9583c8fd538f5b14f3481aa42cca1e0bef9da9c8a800
-
Filesize
24.1MB
MD57a317ea3d9e397709a49051f8a209f66
SHA19e7d356b1bb6dc72ad96007b552e70484b1d8123
SHA256d09eb6526b7a59482ebee7772b9b335d951a02ec9f8172eb70ed5cf8655a125e
SHA5122c376b15e94b5c1e4e0f5a001ead0eb1e5c510c50d1f20581dabe3712d8c43ced8779570dad76d00c8ce9548d8089b2951576d22c0a88b6363bf212f1e42d768
-
\??\Volume{24b92e62-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{aa25829a-3a54-477b-9f45-cd3a69c67dab}_OnDiskSnapshotProp
Filesize6KB
MD5d41f5ff6e185ba9f8e9b637aceddfd99
SHA17f1f2fa23b35ffdf680c05b40a3b5ae1d14b45e8
SHA2566107c53796e5259bbceaa9d310f712226f865201ac7ac314b828c8e193c6cc91
SHA5126392191af784d327534de23e69809ba9074f13b11c7d3aa260a361585f7ddcf776d09344faf95f15cdfb3d6be09bb6427ca9b43cfca9ab30a00979c0b820fd78