Analysis
-
max time kernel
31s -
max time network
37s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
09-04-2023 09:55
Behavioral task
behavioral1
Sample
SMB1.msi
Resource
win10-20230220-en
Errors
General
-
Target
SMB1.msi
-
Size
2.6MB
-
MD5
5bab2f1dd53b3ae08dab8a1a2d7c145c
-
SHA1
2225b068ab2ca4c021d3baba82b8a950e8004fe4
-
SHA256
78375c2ea7c8fb7fb40d41f750eab63271348a11559ddb71410b16e66326d373
-
SHA512
86eb2bd142cb38c621cd51e146ab70702802577ceb6bbe3f4cf96d3c6c59a63c0ee34ab6119519f162e33a92f6997000f0659b93f3bfff9b431d2dcab223cbe5
-
SSDEEP
49152:eCxZBWV19qVgK35goah9ZXT8IQXdZXPNH5fRTQCZ:POE5cpsXd3T
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Windows\Installer\MSIA55D.tmp aspack_v212_v242 \Windows\Installer\MSIA55D.tmp aspack_v212_v242 C:\Windows\Installer\MSIA7CF.tmp aspack_v212_v242 \Windows\Installer\MSIA7CF.tmp aspack_v212_v242 C:\Windows\Installer\MSIA86C.tmp aspack_v212_v242 C:\Windows\Installer\MSIA86C.tmp aspack_v212_v242 \Windows\Installer\MSIA86C.tmp aspack_v212_v242 C:\Windows\Installer\MSIA919.tmp aspack_v212_v242 \Windows\Installer\MSIA919.tmp aspack_v212_v242 \Windows\Installer\MSIA9D5.tmp aspack_v212_v242 C:\Windows\Installer\MSIA9D5.tmp aspack_v212_v242 -
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exepid process 4764 MsiExec.exe 4764 MsiExec.exe 4764 MsiExec.exe 4764 MsiExec.exe 4764 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B} msiexec.exe File opened for modification C:\Windows\Installer\MSIA86C.tmp msiexec.exe File created C:\Windows\winupdate64.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA7CF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA55D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\sysupdate.log msiexec.exe File opened for modification C:\Windows\Installer\e56a482.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA919.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA9D5.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIAD03.tmp msiexec.exe File created C:\Windows\Installer\e56a482.msi msiexec.exe -
Modifies data under HKEY_USERS 28 IoCs
Processes:
LogonUI.exeMsiExec.exemsiexec.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft MsiExec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2876 msiexec.exe 2876 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2504 msiexec.exe Token: SeIncreaseQuotaPrivilege 2504 msiexec.exe Token: SeSecurityPrivilege 2876 msiexec.exe Token: SeCreateTokenPrivilege 2504 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2504 msiexec.exe Token: SeLockMemoryPrivilege 2504 msiexec.exe Token: SeIncreaseQuotaPrivilege 2504 msiexec.exe Token: SeMachineAccountPrivilege 2504 msiexec.exe Token: SeTcbPrivilege 2504 msiexec.exe Token: SeSecurityPrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeLoadDriverPrivilege 2504 msiexec.exe Token: SeSystemProfilePrivilege 2504 msiexec.exe Token: SeSystemtimePrivilege 2504 msiexec.exe Token: SeProfSingleProcessPrivilege 2504 msiexec.exe Token: SeIncBasePriorityPrivilege 2504 msiexec.exe Token: SeCreatePagefilePrivilege 2504 msiexec.exe Token: SeCreatePermanentPrivilege 2504 msiexec.exe Token: SeBackupPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeShutdownPrivilege 2504 msiexec.exe Token: SeDebugPrivilege 2504 msiexec.exe Token: SeAuditPrivilege 2504 msiexec.exe Token: SeSystemEnvironmentPrivilege 2504 msiexec.exe Token: SeChangeNotifyPrivilege 2504 msiexec.exe Token: SeRemoteShutdownPrivilege 2504 msiexec.exe Token: SeUndockPrivilege 2504 msiexec.exe Token: SeSyncAgentPrivilege 2504 msiexec.exe Token: SeEnableDelegationPrivilege 2504 msiexec.exe Token: SeManageVolumePrivilege 2504 msiexec.exe Token: SeImpersonatePrivilege 2504 msiexec.exe Token: SeCreateGlobalPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeRestorePrivilege 2876 msiexec.exe Token: SeTakeOwnershipPrivilege 2876 msiexec.exe Token: SeShutdownPrivilege 2876 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2504 msiexec.exe 2504 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 3328 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 2876 wrote to memory of 4764 2876 msiexec.exe MsiExec.exe PID 2876 wrote to memory of 4764 2876 msiexec.exe MsiExec.exe PID 2876 wrote to memory of 4764 2876 msiexec.exe MsiExec.exe PID 2876 wrote to memory of 3680 2876 msiexec.exe MsiExec.exe PID 2876 wrote to memory of 3680 2876 msiexec.exe MsiExec.exe PID 2876 wrote to memory of 3680 2876 msiexec.exe MsiExec.exe PID 3680 wrote to memory of 4944 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4944 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4944 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3692 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3692 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3692 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 744 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 744 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 744 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3832 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3832 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3832 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4788 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4788 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4788 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4472 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4472 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4472 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4932 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4932 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4932 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4424 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4424 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4424 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4388 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4388 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4388 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4340 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4340 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4340 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4244 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4244 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4244 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 5000 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 5000 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 5000 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1784 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1784 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1784 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3452 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3452 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3452 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1040 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1040 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1040 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3424 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3424 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 3424 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 664 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 664 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 664 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1596 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1596 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 1596 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4200 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4200 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 4200 3680 MsiExec.exe netsh.exe PID 3680 wrote to memory of 2008 3680 MsiExec.exe netsh.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\SMB1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1967E60859E34143BDADF7AC21F467412⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B08430095E0B76AB27F1490CD8B8847D E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=21 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8443 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad2855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e56a484.rbsFilesize
2KB
MD5f88352c63a633bce7e62935e4dac1cf6
SHA168e53f47b824bd449185a2ec4dbd2828dbeb8061
SHA2567172cea0100da8428d12e9423ff399b3999a493ffd67c8bf812fce6b4dab1878
SHA51283e95fbe50f038d8b4bfbc4e0531da92f1ec22f57ead7ac016484c5a1f79f8e3992cb5d34b34dfd8f6a229440650e87aa721efc272eae47dfcef7cb2639a1996
-
C:\Windows\Installer\MSIA55D.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
C:\Windows\Installer\MSIA7CF.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
C:\Windows\Installer\MSIA86C.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
C:\Windows\Installer\MSIA86C.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
C:\Windows\Installer\MSIA919.tmpFilesize
288KB
MD5c625553f92e25719a64f0ee9805e9a69
SHA1e53066055bb35818b9fc1d9717f5a035b39139f1
SHA256d62ba3fe050f85f818582acccaf49a499c6fcaed23a2b914c08626e8b8cf4286
SHA5128e0875946f115166dc2a54d73f0d5cfdee3aa4d669bf86623e74b0363d1863c4fea18ba0ce2e3335fd4a9385924026f0dc11973ef4405502625ef8ecabe54273
-
C:\Windows\Installer\MSIA9D5.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
\Windows\Installer\MSIA55D.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
\Windows\Installer\MSIA7CF.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
\Windows\Installer\MSIA86C.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
\Windows\Installer\MSIA919.tmpFilesize
288KB
MD5c625553f92e25719a64f0ee9805e9a69
SHA1e53066055bb35818b9fc1d9717f5a035b39139f1
SHA256d62ba3fe050f85f818582acccaf49a499c6fcaed23a2b914c08626e8b8cf4286
SHA5128e0875946f115166dc2a54d73f0d5cfdee3aa4d669bf86623e74b0363d1863c4fea18ba0ce2e3335fd4a9385924026f0dc11973ef4405502625ef8ecabe54273
-
\Windows\Installer\MSIA9D5.tmpFilesize
227KB
MD586ae9ede65e1163d5f98d52c0c402c2f
SHA131e01227bc4225733dd593c19ab95d3e3708f8d4
SHA2564dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee
SHA5122c7239d3413dda3f8bec4efa4ad3fd90e3cee4f8087c239e32abd592af1a3ff5fa555a6adba1039529617edcc70dfd73ba2192e309ac8c24bf0cb84e2e3ea24a
-
memory/4764-139-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-146-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-145-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-151-0x00000000736A0000-0x000000007372A000-memory.dmpFilesize
552KB
-
memory/4764-152-0x00000000736A0000-0x000000007372A000-memory.dmpFilesize
552KB
-
memory/4764-140-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-134-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-159-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-160-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-162-0x00000000736A0000-0x000000007372A000-memory.dmpFilesize
552KB
-
memory/4764-161-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-163-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB
-
memory/4764-133-0x00000000736C0000-0x0000000073723000-memory.dmpFilesize
396KB