Analysis
-
max time kernel
131s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
22-04-2024 03:10
Behavioral task
behavioral1
Sample
C558B828.Png.msi
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
C558B828.Png.msi
Resource
win10v2004-20240412-en
General
-
Target
C558B828.Png.msi
-
Size
1.4MB
-
MD5
c12241be2c41ae69187ca9faf83494ff
-
SHA1
5b1de649f2bc4eb08f1d83f7ea052de5b8fe141f
-
SHA256
43eef76fa966395bde56b4e3812831ca75ad010e3b8216103358deb09bdc14d1
-
SHA512
0b2dbf2278fef86a122952683668a795e76cb5e30c1d98b52f5fa5dbc9f1bc152c64aeeab69c9c4befd27ded3f879a3ebd9bc135c66e164d14ae5e8189c1b527
-
SSDEEP
24576:FsuDXXNwG04BMeRocDP1NPQDhkPTG4Mcgiwkew8vroUQGDXDNSnf6BlMRUT:FVXdsi5ooAFeBRSw8vlQIzNSnf6y4
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 12 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI9C60.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9CCE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D7A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA3A3.tmp msiexec.exe File created C:\Windows\dbcode21mk.log msiexec.exe File created C:\Windows\Installer\f769972.msi msiexec.exe File opened for modification C:\Windows\Installer\f769972.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI99FE.tmp msiexec.exe File created C:\Windows\Installer\f769975.ipi msiexec.exe File created C:\Windows\setupact64.log msiexec.exe File opened for modification C:\Windows\Installer\f769975.ipi msiexec.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exepid process 2548 MsiExec.exe 2548 MsiExec.exe 2548 MsiExec.exe 2548 MsiExec.exe -
Modifies data under HKEY_USERS 31 IoCs
Processes:
netsh.exenetsh.exemsiexec.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 2852 msiexec.exe 2852 msiexec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 2768 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 2768 msiexec.exe Token: SeIncreaseQuotaPrivilege 2768 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeSecurityPrivilege 2852 msiexec.exe Token: SeCreateTokenPrivilege 2768 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2768 msiexec.exe Token: SeLockMemoryPrivilege 2768 msiexec.exe Token: SeIncreaseQuotaPrivilege 2768 msiexec.exe Token: SeMachineAccountPrivilege 2768 msiexec.exe Token: SeTcbPrivilege 2768 msiexec.exe Token: SeSecurityPrivilege 2768 msiexec.exe Token: SeTakeOwnershipPrivilege 2768 msiexec.exe Token: SeLoadDriverPrivilege 2768 msiexec.exe Token: SeSystemProfilePrivilege 2768 msiexec.exe Token: SeSystemtimePrivilege 2768 msiexec.exe Token: SeProfSingleProcessPrivilege 2768 msiexec.exe Token: SeIncBasePriorityPrivilege 2768 msiexec.exe Token: SeCreatePagefilePrivilege 2768 msiexec.exe Token: SeCreatePermanentPrivilege 2768 msiexec.exe Token: SeBackupPrivilege 2768 msiexec.exe Token: SeRestorePrivilege 2768 msiexec.exe Token: SeShutdownPrivilege 2768 msiexec.exe Token: SeDebugPrivilege 2768 msiexec.exe Token: SeAuditPrivilege 2768 msiexec.exe Token: SeSystemEnvironmentPrivilege 2768 msiexec.exe Token: SeChangeNotifyPrivilege 2768 msiexec.exe Token: SeRemoteShutdownPrivilege 2768 msiexec.exe Token: SeUndockPrivilege 2768 msiexec.exe Token: SeSyncAgentPrivilege 2768 msiexec.exe Token: SeEnableDelegationPrivilege 2768 msiexec.exe Token: SeManageVolumePrivilege 2768 msiexec.exe Token: SeImpersonatePrivilege 2768 msiexec.exe Token: SeCreateGlobalPrivilege 2768 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe Token: SeRestorePrivilege 2852 msiexec.exe Token: SeTakeOwnershipPrivilege 2852 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2768 msiexec.exe 2768 msiexec.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 2852 wrote to memory of 2548 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2548 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2548 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2548 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2548 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2548 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2548 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2556 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2556 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2556 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2556 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2556 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2556 2852 msiexec.exe MsiExec.exe PID 2852 wrote to memory of 2556 2852 msiexec.exe MsiExec.exe PID 2556 wrote to memory of 2672 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2672 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2672 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2672 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2376 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2376 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2376 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2376 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2408 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2408 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2408 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2408 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1664 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1664 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1664 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1664 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 928 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 928 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 928 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 928 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2536 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2536 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2536 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2536 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1048 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1048 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1048 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1048 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2976 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2976 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2976 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2976 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 240 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 240 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 240 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 240 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 936 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 936 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 936 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 936 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1624 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1624 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1624 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 1624 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2000 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2000 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2000 2556 MsiExec.exe netsh.exe PID 2556 wrote to memory of 2000 2556 MsiExec.exe netsh.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\C558B828.Png.msi1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A31BA7D5ADCFB66CBBDC8C8C24DB42862⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 89A8A4038156C8152724B6525946714D M Global\MSI00002⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\f769976.rbsFilesize
2KB
MD57b331f619321de7e72941a817536de15
SHA1ee84165452c1aa2fcbdeb2028d8327b80c2a447f
SHA256109765d17662c86432c61b95a01cd04ffd4927d2596796981bd6c4e50a50f16e
SHA512dbc75d19642941ef4ef6f6ff036dc1cc3cc895327c6bc902a9df82123d3596b26fbdc27888da880cf247c70b8686c2081649d7316e2e589f1efe13cc904d02a4
-
C:\Windows\Installer\MSI99FE.tmpFilesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
\Windows\Installer\MSI9CCE.tmpFilesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165
-
memory/2548-5-0x0000000074400000-0x0000000074465000-memory.dmpFilesize
404KB
-
memory/2548-6-0x00000000001E0000-0x00000000001E3000-memory.dmpFilesize
12KB
-
memory/2548-11-0x0000000074400000-0x0000000074465000-memory.dmpFilesize
404KB
-
memory/2548-18-0x00000000001E0000-0x00000000001E3000-memory.dmpFilesize
12KB
-
memory/2548-17-0x0000000074420000-0x0000000074470000-memory.dmpFilesize
320KB
-
memory/2548-23-0x0000000074400000-0x0000000074465000-memory.dmpFilesize
404KB
-
memory/2548-12-0x00000000001E0000-0x00000000001E3000-memory.dmpFilesize
12KB