Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11/10/2023, 20:11
Behavioral task
behavioral1
Sample
mkhg_Invoice_PurpleFox.msi
Resource
win7-20230831-en
General
-
Target
mkhg_Invoice_PurpleFox.msi
-
Size
2.9MB
-
MD5
eb9a4cf233789b96f940be0186a26988
-
SHA1
002a1cee740fa212732379d1f00dbcf7c0cccbf2
-
SHA256
24d40ba4bf19e3cb942918eb8091ab467b11d5d737aef8e37cffc5306d0081d8
-
SHA512
725eefc24cf43ad0d5022f20608b1d149e9a4285cde7dc21b621aca3647d402a2ac7a2c0751614bae5f6d98c2b52e280e471f7f67f8916041c042bd1911784ce
-
SSDEEP
49152:irOlrXVVdWi59GUrSLzeaVtFUaQfqZ2jQbfcOQHe1XPVZNA+ta7Knc9vQXBlBKFk:xlFFrEYY7LXPPdHsGBlB8h24BKM
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Loads dropped DLL 5 IoCs
pid Process 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe 1000 MsiExec.exe -
Modifies file permissions 1 TTPs 6 IoCs
pid Process 3484 takeown.exe 4216 takeown.exe 4840 takeown.exe 4188 takeown.exe 1604 takeown.exe 1656 takeown.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\dbcode86mk.log msiexec.exe File opened for modification C:\Windows\Installer\MSI85E9.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B} msiexec.exe File created C:\Windows\.xml msiexec.exe File opened for modification C:\Windows\Installer\MSIF492.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF53F.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI102D.tmp msiexec.exe File created C:\Windows\Installer\e5784ef.msi msiexec.exe File opened for modification C:\Windows\Installer\e5784ef.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF56F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF5ED.tmp msiexec.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2744 sc.exe 3068 sc.exe -
Modifies data under HKEY_USERS 51 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2076 msiexec.exe 2076 msiexec.exe 1556 powershell.exe 1556 powershell.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeShutdownPrivilege 3500 msiexec.exe Token: SeIncreaseQuotaPrivilege 3500 msiexec.exe Token: SeSecurityPrivilege 2076 msiexec.exe Token: SeCreateTokenPrivilege 3500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3500 msiexec.exe Token: SeLockMemoryPrivilege 3500 msiexec.exe Token: SeIncreaseQuotaPrivilege 3500 msiexec.exe Token: SeMachineAccountPrivilege 3500 msiexec.exe Token: SeTcbPrivilege 3500 msiexec.exe Token: SeSecurityPrivilege 3500 msiexec.exe Token: SeTakeOwnershipPrivilege 3500 msiexec.exe Token: SeLoadDriverPrivilege 3500 msiexec.exe Token: SeSystemProfilePrivilege 3500 msiexec.exe Token: SeSystemtimePrivilege 3500 msiexec.exe Token: SeProfSingleProcessPrivilege 3500 msiexec.exe Token: SeIncBasePriorityPrivilege 3500 msiexec.exe Token: SeCreatePagefilePrivilege 3500 msiexec.exe Token: SeCreatePermanentPrivilege 3500 msiexec.exe Token: SeBackupPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 3500 msiexec.exe Token: SeShutdownPrivilege 3500 msiexec.exe Token: SeDebugPrivilege 3500 msiexec.exe Token: SeAuditPrivilege 3500 msiexec.exe Token: SeSystemEnvironmentPrivilege 3500 msiexec.exe Token: SeChangeNotifyPrivilege 3500 msiexec.exe Token: SeRemoteShutdownPrivilege 3500 msiexec.exe Token: SeUndockPrivilege 3500 msiexec.exe Token: SeSyncAgentPrivilege 3500 msiexec.exe Token: SeEnableDelegationPrivilege 3500 msiexec.exe Token: SeManageVolumePrivilege 3500 msiexec.exe Token: SeImpersonatePrivilege 3500 msiexec.exe Token: SeCreateGlobalPrivilege 3500 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeShutdownPrivilege 5116 powercfg.exe Token: SeCreatePagefilePrivilege 5116 powercfg.exe Token: SeDebugPrivilege 1556 powershell.exe Token: SeTakeOwnershipPrivilege 3484 takeown.exe Token: SeTakeOwnershipPrivilege 4216 takeown.exe Token: SeTakeOwnershipPrivilege 4840 takeown.exe Token: SeTakeOwnershipPrivilege 4188 takeown.exe Token: SeTakeOwnershipPrivilege 1604 takeown.exe Token: SeTakeOwnershipPrivilege 1656 takeown.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3500 msiexec.exe 3500 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2076 wrote to memory of 1000 2076 msiexec.exe 90 PID 2076 wrote to memory of 1000 2076 msiexec.exe 90 PID 2076 wrote to memory of 1000 2076 msiexec.exe 90 PID 2076 wrote to memory of 3180 2076 msiexec.exe 94 PID 2076 wrote to memory of 3180 2076 msiexec.exe 94 PID 2076 wrote to memory of 3180 2076 msiexec.exe 94 PID 3180 wrote to memory of 5116 3180 MsiExec.exe 95 PID 3180 wrote to memory of 5116 3180 MsiExec.exe 95 PID 3180 wrote to memory of 5116 3180 MsiExec.exe 95 PID 3180 wrote to memory of 1556 3180 MsiExec.exe 97 PID 3180 wrote to memory of 1556 3180 MsiExec.exe 97 PID 3180 wrote to memory of 1556 3180 MsiExec.exe 97 PID 3180 wrote to memory of 2780 3180 MsiExec.exe 99 PID 3180 wrote to memory of 2780 3180 MsiExec.exe 99 PID 3180 wrote to memory of 2780 3180 MsiExec.exe 99 PID 3180 wrote to memory of 4676 3180 MsiExec.exe 101 PID 3180 wrote to memory of 4676 3180 MsiExec.exe 101 PID 3180 wrote to memory of 4676 3180 MsiExec.exe 101 PID 3180 wrote to memory of 4432 3180 MsiExec.exe 103 PID 3180 wrote to memory of 4432 3180 MsiExec.exe 103 PID 3180 wrote to memory of 4432 3180 MsiExec.exe 103 PID 3180 wrote to memory of 940 3180 MsiExec.exe 105 PID 3180 wrote to memory of 940 3180 MsiExec.exe 105 PID 3180 wrote to memory of 940 3180 MsiExec.exe 105 PID 3180 wrote to memory of 2804 3180 MsiExec.exe 108 PID 3180 wrote to memory of 2804 3180 MsiExec.exe 108 PID 3180 wrote to memory of 2804 3180 MsiExec.exe 108 PID 3180 wrote to memory of 3028 3180 MsiExec.exe 109 PID 3180 wrote to memory of 3028 3180 MsiExec.exe 109 PID 3180 wrote to memory of 3028 3180 MsiExec.exe 109 PID 3180 wrote to memory of 5068 3180 MsiExec.exe 111 PID 3180 wrote to memory of 5068 3180 MsiExec.exe 111 PID 3180 wrote to memory of 5068 3180 MsiExec.exe 111 PID 3180 wrote to memory of 2476 3180 MsiExec.exe 115 PID 3180 wrote to memory of 2476 3180 MsiExec.exe 115 PID 3180 wrote to memory of 2476 3180 MsiExec.exe 115 PID 3180 wrote to memory of 4488 3180 MsiExec.exe 117 PID 3180 wrote to memory of 4488 3180 MsiExec.exe 117 PID 3180 wrote to memory of 4488 3180 MsiExec.exe 117 PID 3180 wrote to memory of 4732 3180 MsiExec.exe 120 PID 3180 wrote to memory of 4732 3180 MsiExec.exe 120 PID 3180 wrote to memory of 4732 3180 MsiExec.exe 120 PID 3180 wrote to memory of 1348 3180 MsiExec.exe 122 PID 3180 wrote to memory of 1348 3180 MsiExec.exe 122 PID 3180 wrote to memory of 1348 3180 MsiExec.exe 122 PID 3180 wrote to memory of 3592 3180 MsiExec.exe 124 PID 3180 wrote to memory of 3592 3180 MsiExec.exe 124 PID 3180 wrote to memory of 3592 3180 MsiExec.exe 124 PID 3180 wrote to memory of 3732 3180 MsiExec.exe 126 PID 3180 wrote to memory of 3732 3180 MsiExec.exe 126 PID 3180 wrote to memory of 3732 3180 MsiExec.exe 126 PID 3180 wrote to memory of 1936 3180 MsiExec.exe 129 PID 3180 wrote to memory of 1936 3180 MsiExec.exe 129 PID 3180 wrote to memory of 1936 3180 MsiExec.exe 129 PID 3180 wrote to memory of 4304 3180 MsiExec.exe 132 PID 3180 wrote to memory of 4304 3180 MsiExec.exe 132 PID 3180 wrote to memory of 4304 3180 MsiExec.exe 132 PID 3180 wrote to memory of 644 3180 MsiExec.exe 133 PID 3180 wrote to memory of 644 3180 MsiExec.exe 133 PID 3180 wrote to memory of 644 3180 MsiExec.exe 133 PID 3180 wrote to memory of 3788 3180 MsiExec.exe 136 PID 3180 wrote to memory of 3788 3180 MsiExec.exe 136 PID 3180 wrote to memory of 3788 3180 MsiExec.exe 136 PID 3180 wrote to memory of 3140 3180 MsiExec.exe 138
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\mkhg_Invoice_PurpleFox.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3500
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9788997D579157001DA4B5E58AB0CEA52⤵
- Loads dropped DLL
PID:1000
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4D89DD1CC1F74DADE691F57AD41F30EB E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\powercfg.exe"C:\Windows\SysWOW64\powercfg.exe" /S 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 900; Restart-Computer -Force3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵PID:2780
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵PID:4676
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵PID:4432
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵PID:940
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵PID:2804
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵PID:3028
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵PID:5068
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵PID:2476
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=2222 protocol=TCP3⤵PID:4488
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=3333 protocol=TCP3⤵PID:4732
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=4444 protocol=TCP3⤵PID:1348
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=5555 protocol=TCP3⤵PID:3592
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=6666 protocol=TCP3⤵PID:3732
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=7777 protocol=TCP3⤵PID:1936
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=8888 protocol=TCP3⤵PID:4304
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9000 protocol=TCP3⤵PID:644
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=9999 protocol=TCP3⤵PID:3788
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14443 protocol=TCP3⤵PID:3140
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=Me dstaddr=any dstport=14444 protocol=TCP3⤵PID:5068
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵PID:1340
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵PID:412
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵PID:3436
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\jscript.dll3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\jscript.dll /E /P everyone:N3⤵PID:848
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\jscript.dll3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\jscript.dll /E /P everyone:N3⤵PID:3292
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\cscript.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\cscript.exe /E /P everyone:N3⤵PID:3544
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\cscript.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\cscript.exe /E /P everyone:N3⤵PID:1924
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N3⤵PID:4224
-
-
C:\Windows\SysWOW64\takeown.exe"C:\Windows\SysWOW64\takeown.exe" /f C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
C:\Windows\SysWOW64\cacls.exe"C:\Windows\SysWOW64\cacls.exe" C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe /E /P everyone:N3⤵PID:1800
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /va /f3⤵PID:368
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /va /f3⤵PID:4452
-
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\SysWOW64\reg.exe" delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg /f3⤵PID:5108
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" stop wmiApSrv3⤵
- Launches sc.exe
PID:2744
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\SysWOW64\sc.exe" config wmiApSrv start=disabled3⤵
- Launches sc.exe
PID:3068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59df58e88574b86359622950f5fa6d6e1
SHA1498e91041f771d480ee05e0e55f8451be28ddb27
SHA25698627eefe0b605041f1e7ee53610c85db202020be4a1af4982140c3ea1981372
SHA512a593c474c7c9d01f72a812d141edd419bde3ce616af64b649f10eddcc34a070248db9d77825cf5ec7faae9f1594b807db33273a3068228efe31bfe7c6d9bb4b2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
Filesize
537KB
MD5d7ec04b009302b83da506b9c63ca775c
SHA16fa9ea09b71531754b4cd05814a91032229834c0
SHA25600c0e19c05f6df1a34cc3593680a6ab43874d6cd62a8046a7add91997cfabcd4
SHA512171c465fe6f89b9e60da97896990d0b68ef595c3f70ee89b44fcf411352da22a457c41f7b853157f1faa500513419e504696775eefabe520f835ce9be5f4081c
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7
-
Filesize
379KB
MD5305a50c391a94b42a68958f3f89906fb
SHA14110d68d71f3594f5d3bdfca91a1c759ab0105d4
SHA256f89c4313f2f4bc8654a7fa3697702e36688e8c2756df5ada209a7f3e3f1d906f
SHA512fcad17ce34e35de6f0c7259e92acc842db2e68008cf45e628b18d71cb3bffcfca35e233cd8ae5eb2ae758b8a6503dbe832dd70038432ccbd56c99cd45da535f7