Analysis
-
max time kernel
39s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
23-02-2023 09:11
Behavioral task
behavioral1
Sample
9D8AA271.msi
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9D8AA271.msi
Resource
win10v2004-20230220-en
Errors
General
-
Target
9D8AA271.msi
-
Size
1.4MB
-
MD5
7a72d5e6044805ea4d2f37bdbdc0ab2d
-
SHA1
9b54a2d8ee1ead6bf053f0aaf724e4d44e1de8ae
-
SHA256
34159049a92a5849bc9c11bd8ed4411aa5f5ecac4a80ddc2cc9f5df22980c1ec
-
SHA512
f100069fe104f7bb9154247f26e130d739eeb4e834ef6e801901bb489847c6791c5ec53f9160de3f8295483d52004890b79af27a4057f5c2d7d9eb4d9ceb0ff9
-
SSDEEP
24576:KUuDXXNGj04BMeRocDP1Nz4lDhkPTG4Mcgiwkew8vroUQGDXDNSnf6BlMRUT:KdXdJi5oo+FeBRSw8vlQIzNSnf6y4
Malware Config
Signatures
-
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid process 1108 MsiExec.exe 1108 MsiExec.exe 1108 MsiExec.exe 1108 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI148C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI14DB.tmp msiexec.exe File created C:\Windows\Installer\6c129a.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\6c129a.ipi msiexec.exe File created C:\Windows\Installer\6c1298.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI12D6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI16BF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1E11.tmp msiexec.exe File created C:\Windows\dbcode21mk.log msiexec.exe File created C:\Windows\setupact64.log msiexec.exe File opened for modification C:\Windows\Installer\6c1298.msi msiexec.exe -
Modifies data under HKEY_USERS 31 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exemsiexec.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 1192 msiexec.exe 1192 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 1396 msiexec.exe Token: SeIncreaseQuotaPrivilege 1396 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeSecurityPrivilege 1192 msiexec.exe Token: SeCreateTokenPrivilege 1396 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1396 msiexec.exe Token: SeLockMemoryPrivilege 1396 msiexec.exe Token: SeIncreaseQuotaPrivilege 1396 msiexec.exe Token: SeMachineAccountPrivilege 1396 msiexec.exe Token: SeTcbPrivilege 1396 msiexec.exe Token: SeSecurityPrivilege 1396 msiexec.exe Token: SeTakeOwnershipPrivilege 1396 msiexec.exe Token: SeLoadDriverPrivilege 1396 msiexec.exe Token: SeSystemProfilePrivilege 1396 msiexec.exe Token: SeSystemtimePrivilege 1396 msiexec.exe Token: SeProfSingleProcessPrivilege 1396 msiexec.exe Token: SeIncBasePriorityPrivilege 1396 msiexec.exe Token: SeCreatePagefilePrivilege 1396 msiexec.exe Token: SeCreatePermanentPrivilege 1396 msiexec.exe Token: SeBackupPrivilege 1396 msiexec.exe Token: SeRestorePrivilege 1396 msiexec.exe Token: SeShutdownPrivilege 1396 msiexec.exe Token: SeDebugPrivilege 1396 msiexec.exe Token: SeAuditPrivilege 1396 msiexec.exe Token: SeSystemEnvironmentPrivilege 1396 msiexec.exe Token: SeChangeNotifyPrivilege 1396 msiexec.exe Token: SeRemoteShutdownPrivilege 1396 msiexec.exe Token: SeUndockPrivilege 1396 msiexec.exe Token: SeSyncAgentPrivilege 1396 msiexec.exe Token: SeEnableDelegationPrivilege 1396 msiexec.exe Token: SeManageVolumePrivilege 1396 msiexec.exe Token: SeImpersonatePrivilege 1396 msiexec.exe Token: SeCreateGlobalPrivilege 1396 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeRestorePrivilege 1192 msiexec.exe Token: SeTakeOwnershipPrivilege 1192 msiexec.exe Token: SeShutdownPrivilege 1192 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1396 msiexec.exe 1396 msiexec.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 1192 wrote to memory of 1108 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1108 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1108 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1108 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1108 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1108 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1108 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1500 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1500 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1500 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1500 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1500 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1500 1192 msiexec.exe MsiExec.exe PID 1192 wrote to memory of 1500 1192 msiexec.exe MsiExec.exe PID 1500 wrote to memory of 900 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 900 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 900 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 900 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1976 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1976 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1976 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1976 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 560 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 560 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 560 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 560 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1532 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1532 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1532 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1532 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1788 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1788 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1788 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1788 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1924 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1924 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1924 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1924 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 524 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 524 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 524 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 524 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 576 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 576 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 576 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 576 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 2024 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 2024 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 2024 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 2024 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1504 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1504 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1504 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1504 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1332 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1332 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1332 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1332 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1692 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1692 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1692 1500 MsiExec.exe netsh.exe PID 1500 wrote to memory of 1692 1500 MsiExec.exe netsh.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9D8AA271.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1BFC32E9A5F171F3E9A3AD85AA33C4D72⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4EDF8C002E127DC986B6C2D05FF991DB M Global\MSI00002⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\6c129b.rbsFilesize
2KB
MD53856eafb8d3c30a714b55dc1a835dcec
SHA1f78cf11eda1f9c38bbe93980901ac60fc7ce1906
SHA256472acb82b0858119d94db546ba80578f122ed53235b2b48342b2fe6a57c1e835
SHA5126c96deba6c66b68ae5622628a88097a3611dea23d8dcdfa8fb4aaeab16a3d0f45745797b1307cf5753f60fbee722fe91340cb949027df4d6e205c4a7da2f5f9b
-
C:\Windows\Installer\MSI12D6.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI148C.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI14DB.tmpFilesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165
-
C:\Windows\Installer\MSI16BF.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
C:\Windows\Installer\MSI16BF.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
\Windows\Installer\MSI12D6.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
\Windows\Installer\MSI148C.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
\Windows\Installer\MSI14DB.tmpFilesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165
-
\Windows\Installer\MSI16BF.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
memory/1108-73-0x0000000074160000-0x00000000741C5000-memory.dmpFilesize
404KB
-
memory/1108-60-0x0000000000200000-0x0000000000203000-memory.dmpFilesize
12KB
-
memory/1108-74-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/1108-75-0x0000000074180000-0x00000000741D0000-memory.dmpFilesize
320KB
-
memory/1108-76-0x0000000074160000-0x00000000741C5000-memory.dmpFilesize
404KB
-
memory/1108-59-0x0000000074160000-0x00000000741C5000-memory.dmpFilesize
404KB
-
memory/1552-94-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/1788-93-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB