Analysis
-
max time kernel
149s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-11-2024 02:01
Behavioral task
behavioral1
Sample
F12E5CE5.msi
Resource
win10v2004-20241007-en
General
-
Target
F12E5CE5.msi
-
Size
1.4MB
-
MD5
409fc4c1a1823228dfa9f906ac562e82
-
SHA1
8ad688f04db5a37f9a9c7a660ea80fbe917fbb73
-
SHA256
a119f54d6d301009a507a65baa184595244bc82aad5f24911ba45048b7b21904
-
SHA512
7384a1952c1971788efacbeb473672671e1c321e1996ca416db376d1d2630828d71796bd7f2ab91908b2b9a76d1608fdb178c47cd0b0257fce87eb91960f1c15
-
SSDEEP
24576:OmuDXX4St04BMeRocDP1NJnA0cGBULM0odOJjgDyk7TS4MclFdBbfYNn+Nnnm6Bl:OLXIvi5ooNXZULOMJ8O6FlFdB0N+Nnnt
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIA5C9.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA761.tmp msiexec.exe File created C:\Windows\setupact64.log msiexec.exe File created C:\Windows\Installer\e57a112.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA45F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA55B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{80395032-1630-4C4B-A997-0A7CCB72C75B} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\e57a112.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA52B.tmp msiexec.exe File created C:\Windows\dbcode21mk.log msiexec.exe File opened for modification C:\Windows\Installer\MSIA1AE.tmp msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 1980 MsiExec.exe 1980 MsiExec.exe 1980 MsiExec.exe 1980 MsiExec.exe 1980 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1000 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 728 msiexec.exe 728 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
description pid Process Token: SeShutdownPrivilege 1000 msiexec.exe Token: SeIncreaseQuotaPrivilege 1000 msiexec.exe Token: SeSecurityPrivilege 728 msiexec.exe Token: SeCreateTokenPrivilege 1000 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1000 msiexec.exe Token: SeLockMemoryPrivilege 1000 msiexec.exe Token: SeIncreaseQuotaPrivilege 1000 msiexec.exe Token: SeMachineAccountPrivilege 1000 msiexec.exe Token: SeTcbPrivilege 1000 msiexec.exe Token: SeSecurityPrivilege 1000 msiexec.exe Token: SeTakeOwnershipPrivilege 1000 msiexec.exe Token: SeLoadDriverPrivilege 1000 msiexec.exe Token: SeSystemProfilePrivilege 1000 msiexec.exe Token: SeSystemtimePrivilege 1000 msiexec.exe Token: SeProfSingleProcessPrivilege 1000 msiexec.exe Token: SeIncBasePriorityPrivilege 1000 msiexec.exe Token: SeCreatePagefilePrivilege 1000 msiexec.exe Token: SeCreatePermanentPrivilege 1000 msiexec.exe Token: SeBackupPrivilege 1000 msiexec.exe Token: SeRestorePrivilege 1000 msiexec.exe Token: SeShutdownPrivilege 1000 msiexec.exe Token: SeDebugPrivilege 1000 msiexec.exe Token: SeAuditPrivilege 1000 msiexec.exe Token: SeSystemEnvironmentPrivilege 1000 msiexec.exe Token: SeChangeNotifyPrivilege 1000 msiexec.exe Token: SeRemoteShutdownPrivilege 1000 msiexec.exe Token: SeUndockPrivilege 1000 msiexec.exe Token: SeSyncAgentPrivilege 1000 msiexec.exe Token: SeEnableDelegationPrivilege 1000 msiexec.exe Token: SeManageVolumePrivilege 1000 msiexec.exe Token: SeImpersonatePrivilege 1000 msiexec.exe Token: SeCreateGlobalPrivilege 1000 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe Token: SeRestorePrivilege 728 msiexec.exe Token: SeTakeOwnershipPrivilege 728 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1000 msiexec.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 728 wrote to memory of 1980 728 msiexec.exe 85 PID 728 wrote to memory of 1980 728 msiexec.exe 85 PID 728 wrote to memory of 1980 728 msiexec.exe 85 PID 728 wrote to memory of 3376 728 msiexec.exe 89 PID 728 wrote to memory of 3376 728 msiexec.exe 89 PID 728 wrote to memory of 3376 728 msiexec.exe 89 PID 3376 wrote to memory of 4464 3376 MsiExec.exe 90 PID 3376 wrote to memory of 4464 3376 MsiExec.exe 90 PID 3376 wrote to memory of 4464 3376 MsiExec.exe 90 PID 3376 wrote to memory of 4864 3376 MsiExec.exe 94 PID 3376 wrote to memory of 4864 3376 MsiExec.exe 94 PID 3376 wrote to memory of 4864 3376 MsiExec.exe 94 PID 3376 wrote to memory of 1844 3376 MsiExec.exe 98 PID 3376 wrote to memory of 1844 3376 MsiExec.exe 98 PID 3376 wrote to memory of 1844 3376 MsiExec.exe 98 PID 3376 wrote to memory of 4876 3376 MsiExec.exe 100 PID 3376 wrote to memory of 4876 3376 MsiExec.exe 100 PID 3376 wrote to memory of 4876 3376 MsiExec.exe 100 PID 3376 wrote to memory of 4304 3376 MsiExec.exe 103 PID 3376 wrote to memory of 4304 3376 MsiExec.exe 103 PID 3376 wrote to memory of 4304 3376 MsiExec.exe 103 PID 3376 wrote to memory of 2268 3376 MsiExec.exe 105 PID 3376 wrote to memory of 2268 3376 MsiExec.exe 105 PID 3376 wrote to memory of 2268 3376 MsiExec.exe 105 PID 3376 wrote to memory of 1964 3376 MsiExec.exe 107 PID 3376 wrote to memory of 1964 3376 MsiExec.exe 107 PID 3376 wrote to memory of 1964 3376 MsiExec.exe 107 PID 3376 wrote to memory of 4540 3376 MsiExec.exe 109 PID 3376 wrote to memory of 4540 3376 MsiExec.exe 109 PID 3376 wrote to memory of 4540 3376 MsiExec.exe 109 PID 3376 wrote to memory of 1984 3376 MsiExec.exe 113 PID 3376 wrote to memory of 1984 3376 MsiExec.exe 113 PID 3376 wrote to memory of 1984 3376 MsiExec.exe 113 PID 3376 wrote to memory of 4124 3376 MsiExec.exe 115 PID 3376 wrote to memory of 4124 3376 MsiExec.exe 115 PID 3376 wrote to memory of 4124 3376 MsiExec.exe 115 PID 3376 wrote to memory of 636 3376 MsiExec.exe 117 PID 3376 wrote to memory of 636 3376 MsiExec.exe 117 PID 3376 wrote to memory of 636 3376 MsiExec.exe 117 PID 3376 wrote to memory of 1032 3376 MsiExec.exe 119 PID 3376 wrote to memory of 1032 3376 MsiExec.exe 119 PID 3376 wrote to memory of 1032 3376 MsiExec.exe 119
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\F12E5CE5.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1000
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 55915682E458CB5F7DE88E5BB00800942⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1980
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8C5879B792773D018A15BA55E8DDA20D E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4464
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4864
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1844
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4876
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4304
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1964
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4540
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1984
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4124
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:636
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1032
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5444397245c07a1eae9cb4c8f6f2d96f4
SHA1a328133a24b659c4bf8e9304c89af2a94c7ece6a
SHA2568fe5fe07d06f7d263e74f5b140c3dc537b049b0d6d9de982e7955b9d2a8bf25c
SHA51262556c8b36fb43be9504e45504426dd0f623f81e0d7d6ca790da704cc0a903b4e6fab3bfb15a215e6ef6622a16798e154173eb68a1e0c8ee00a8966e49eaf79b
-
Filesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
Filesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165