Analysis
-
max time kernel
33s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 01:42
Behavioral task
behavioral1
Sample
20AC0B78.msi
Resource
win7-20240903-en
Errors
General
-
Target
20AC0B78.msi
-
Size
1.4MB
-
MD5
9c84926dac4e5e7037747c49f58f1724
-
SHA1
f5695587523152a08eab8f5d11c7ab3251b107d1
-
SHA256
ee013d9ff7050f96c3ff91d49e90bb60f3a2fb4d41efd918e6cb8aac6cf94e47
-
SHA512
6b476538935d69362089d8505203dadca4330ba112252870ab5be529ed8b40cca3beff7d27a4e59587b20dd33ff19cd177a1945a7158758d3630578c75b8f17a
-
SSDEEP
24576:eruDXXh3j04BMeRocDP1Nxyq7KDOJjkDOk4TB4McL8dfbfr7KCN5nQ6BAMVUTH:e+Xx4i5ooIq7iOJwyZeL8dfv7jN5nQ6I
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0004000000004ed7-86.dat purplefox_msi -
Purplefox family
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Windows directory 23 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f76bbd3.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI2C58.tmp msiexec.exe File created C:\Windows\Installer\f76bbd8.ipi msiexec.exe File created C:\Windows\Installer\f76bbd0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBC6D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBC8D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C18.tmp msiexec.exe File opened for modification C:\Windows\setupact64.log msiexec.exe File opened for modification C:\Windows\Installer\f76bbd8.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIBCBD.tmp msiexec.exe File created C:\Windows\setupact64.log msiexec.exe File opened for modification C:\Windows\Installer\f76bbd5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBBEF.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f76bbd5.msi msiexec.exe File created C:\Windows\dbcode21mk.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2BB9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C38.tmp msiexec.exe File opened for modification C:\Windows\dbcode21mk.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2D05.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76bbd0.msi msiexec.exe File created C:\Windows\Installer\f76bbd3.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIBDF6.tmp msiexec.exe -
Loads dropped DLL 8 IoCs
pid Process 2332 MsiExec.exe 2332 MsiExec.exe 2332 MsiExec.exe 2332 MsiExec.exe 2204 MsiExec.exe 2204 MsiExec.exe 2204 MsiExec.exe 2204 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1828 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 64 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe 1700 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1828 msiexec.exe Token: SeIncreaseQuotaPrivilege 1828 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeSecurityPrivilege 1700 msiexec.exe Token: SeCreateTokenPrivilege 1828 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1828 msiexec.exe Token: SeLockMemoryPrivilege 1828 msiexec.exe Token: SeIncreaseQuotaPrivilege 1828 msiexec.exe Token: SeMachineAccountPrivilege 1828 msiexec.exe Token: SeTcbPrivilege 1828 msiexec.exe Token: SeSecurityPrivilege 1828 msiexec.exe Token: SeTakeOwnershipPrivilege 1828 msiexec.exe Token: SeLoadDriverPrivilege 1828 msiexec.exe Token: SeSystemProfilePrivilege 1828 msiexec.exe Token: SeSystemtimePrivilege 1828 msiexec.exe Token: SeProfSingleProcessPrivilege 1828 msiexec.exe Token: SeIncBasePriorityPrivilege 1828 msiexec.exe Token: SeCreatePagefilePrivilege 1828 msiexec.exe Token: SeCreatePermanentPrivilege 1828 msiexec.exe Token: SeBackupPrivilege 1828 msiexec.exe Token: SeRestorePrivilege 1828 msiexec.exe Token: SeShutdownPrivilege 1828 msiexec.exe Token: SeDebugPrivilege 1828 msiexec.exe Token: SeAuditPrivilege 1828 msiexec.exe Token: SeSystemEnvironmentPrivilege 1828 msiexec.exe Token: SeChangeNotifyPrivilege 1828 msiexec.exe Token: SeRemoteShutdownPrivilege 1828 msiexec.exe Token: SeUndockPrivilege 1828 msiexec.exe Token: SeSyncAgentPrivilege 1828 msiexec.exe Token: SeEnableDelegationPrivilege 1828 msiexec.exe Token: SeManageVolumePrivilege 1828 msiexec.exe Token: SeImpersonatePrivilege 1828 msiexec.exe Token: SeCreateGlobalPrivilege 1828 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeRestorePrivilege 1700 msiexec.exe Token: SeTakeOwnershipPrivilege 1700 msiexec.exe Token: SeShutdownPrivilege 612 msiexec.exe Token: SeIncreaseQuotaPrivilege 612 msiexec.exe Token: SeCreateTokenPrivilege 612 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 612 msiexec.exe Token: SeLockMemoryPrivilege 612 msiexec.exe Token: SeIncreaseQuotaPrivilege 612 msiexec.exe Token: SeMachineAccountPrivilege 612 msiexec.exe Token: SeTcbPrivilege 612 msiexec.exe Token: SeSecurityPrivilege 612 msiexec.exe Token: SeTakeOwnershipPrivilege 612 msiexec.exe Token: SeLoadDriverPrivilege 612 msiexec.exe Token: SeSystemProfilePrivilege 612 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1828 msiexec.exe 1828 msiexec.exe 612 msiexec.exe 612 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 2332 1700 msiexec.exe 31 PID 1700 wrote to memory of 2332 1700 msiexec.exe 31 PID 1700 wrote to memory of 2332 1700 msiexec.exe 31 PID 1700 wrote to memory of 2332 1700 msiexec.exe 31 PID 1700 wrote to memory of 2332 1700 msiexec.exe 31 PID 1700 wrote to memory of 2332 1700 msiexec.exe 31 PID 1700 wrote to memory of 2332 1700 msiexec.exe 31 PID 1700 wrote to memory of 2896 1700 msiexec.exe 32 PID 1700 wrote to memory of 2896 1700 msiexec.exe 32 PID 1700 wrote to memory of 2896 1700 msiexec.exe 32 PID 1700 wrote to memory of 2896 1700 msiexec.exe 32 PID 1700 wrote to memory of 2896 1700 msiexec.exe 32 PID 1700 wrote to memory of 2896 1700 msiexec.exe 32 PID 1700 wrote to memory of 2896 1700 msiexec.exe 32 PID 2896 wrote to memory of 2356 2896 MsiExec.exe 33 PID 2896 wrote to memory of 2356 2896 MsiExec.exe 33 PID 2896 wrote to memory of 2356 2896 MsiExec.exe 33 PID 2896 wrote to memory of 2356 2896 MsiExec.exe 33 PID 2896 wrote to memory of 2716 2896 MsiExec.exe 35 PID 2896 wrote to memory of 2716 2896 MsiExec.exe 35 PID 2896 wrote to memory of 2716 2896 MsiExec.exe 35 PID 2896 wrote to memory of 2716 2896 MsiExec.exe 35 PID 2896 wrote to memory of 2900 2896 MsiExec.exe 37 PID 2896 wrote to memory of 2900 2896 MsiExec.exe 37 PID 2896 wrote to memory of 2900 2896 MsiExec.exe 37 PID 2896 wrote to memory of 2900 2896 MsiExec.exe 37 PID 2896 wrote to memory of 2692 2896 MsiExec.exe 39 PID 2896 wrote to memory of 2692 2896 MsiExec.exe 39 PID 2896 wrote to memory of 2692 2896 MsiExec.exe 39 PID 2896 wrote to memory of 2692 2896 MsiExec.exe 39 PID 2896 wrote to memory of 3056 2896 MsiExec.exe 41 PID 2896 wrote to memory of 3056 2896 MsiExec.exe 41 PID 2896 wrote to memory of 3056 2896 MsiExec.exe 41 PID 2896 wrote to memory of 3056 2896 MsiExec.exe 41 PID 2896 wrote to memory of 1704 2896 MsiExec.exe 43 PID 2896 wrote to memory of 1704 2896 MsiExec.exe 43 PID 2896 wrote to memory of 1704 2896 MsiExec.exe 43 PID 2896 wrote to memory of 1704 2896 MsiExec.exe 43 PID 2896 wrote to memory of 1980 2896 MsiExec.exe 45 PID 2896 wrote to memory of 1980 2896 MsiExec.exe 45 PID 2896 wrote to memory of 1980 2896 MsiExec.exe 45 PID 2896 wrote to memory of 1980 2896 MsiExec.exe 45 PID 2896 wrote to memory of 1512 2896 MsiExec.exe 47 PID 2896 wrote to memory of 1512 2896 MsiExec.exe 47 PID 2896 wrote to memory of 1512 2896 MsiExec.exe 47 PID 2896 wrote to memory of 1512 2896 MsiExec.exe 47 PID 2896 wrote to memory of 1056 2896 MsiExec.exe 49 PID 2896 wrote to memory of 1056 2896 MsiExec.exe 49 PID 2896 wrote to memory of 1056 2896 MsiExec.exe 49 PID 2896 wrote to memory of 1056 2896 MsiExec.exe 49 PID 2896 wrote to memory of 2036 2896 MsiExec.exe 51 PID 2896 wrote to memory of 2036 2896 MsiExec.exe 51 PID 2896 wrote to memory of 2036 2896 MsiExec.exe 51 PID 2896 wrote to memory of 2036 2896 MsiExec.exe 51 PID 2896 wrote to memory of 2808 2896 MsiExec.exe 53 PID 2896 wrote to memory of 2808 2896 MsiExec.exe 53 PID 2896 wrote to memory of 2808 2896 MsiExec.exe 53 PID 2896 wrote to memory of 2808 2896 MsiExec.exe 53 PID 2896 wrote to memory of 2256 2896 MsiExec.exe 55 PID 2896 wrote to memory of 2256 2896 MsiExec.exe 55 PID 2896 wrote to memory of 2256 2896 MsiExec.exe 55 PID 2896 wrote to memory of 2256 2896 MsiExec.exe 55 PID 1700 wrote to memory of 2204 1700 msiexec.exe 62 PID 1700 wrote to memory of 2204 1700 msiexec.exe 62
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\20AC0B78.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1828
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DCC0392E7D03D08EFCC134F81738E1B82⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2332
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 15D7CEAA59F5319156003281A3C09FBD M Global\MSI00002⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2356
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2716
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2900
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2692
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3056
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1704
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1980
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1512
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1056
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2036
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2808
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2256
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F3A77661DCE940719252A8A4DE27A5322⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24DBD4A4E4B65922DC3CC58B6322B781 M Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" interface ipv6 install3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1028
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add policy name=qianye3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2908
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filterlist name=Filter13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2832
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2616
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2360
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1492
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2604
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1796
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1864
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1524
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion13⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1832
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe" ipsec static set policy name=qianye assign=y3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2952
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1308
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\20AC0B78.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:612
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2624
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:3000
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5edee22d9b2ab428fd43adb5553c20253
SHA19cedb7570b5616fde34b539872f7220f1c57d71f
SHA2565f82516562fefd0d831b9b25d0e9243ba727fe982be4211503ab33f335799a5a
SHA5122262f0aab758d49c015e88326fa139914992d391e215a89382dd36fffb6ac5c9dfdba8dc41dd192d7e09dc6dd9da6e70d6afffca0f344c6a64d34a787b11499a
-
Filesize
3KB
MD5180613bda29e808b7d0b99d6c0a1d812
SHA1b8c03e13817d888b93b53195f225af0f40b4a175
SHA2562b0b03f6a1da545e629cbc7ae8379f6085857dbebbed3ad1d9f040eadd3bfd01
SHA512a4870eaa3f713a4210aff5e3d4abc1c9e9941d6ff8a109dd73214c1a6f44f662d324ff072748e3ca2cff75ee80febcf3c9983c93cebc07001fdbb5c810fa9bbc
-
Filesize
141KB
MD54ba8ef50ce73395ad623c770c10e35a7
SHA163600584c296c0cbe1775a759c34ab384e1bbf76
SHA2566094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55
SHA5120730585476d8ded7b363afa486733c6c234704de5cf65f1171ec727f1b826c8a228c0ff5f6f6c219a220ea1794c4c462ab1d45ca48cb62e5eea94dd850ae4206
-
Filesize
118KB
MD54b49c57cbefa1d2773da1f95338e294d
SHA1108ea90d8a42cf31f7d8d7710b5fd713ca048ef9
SHA25668c66657b569cad9cc6e1f5adf0795b5df444ec9945c0d86c62c5abc8aaddc08
SHA51242c61f24196c2682343309cbcdcea185a4100603c649e053c11e2efadef8983c411ef4c61ca71025460baf3d4155157242b2f4ce02a88b6ca2d1922651036165
-
Filesize
1.4MB
MD59c84926dac4e5e7037747c49f58f1724
SHA1f5695587523152a08eab8f5d11c7ab3251b107d1
SHA256ee013d9ff7050f96c3ff91d49e90bb60f3a2fb4d41efd918e6cb8aac6cf94e47
SHA5126b476538935d69362089d8505203dadca4330ba112252870ab5be529ed8b40cca3beff7d27a4e59587b20dd33ff19cd177a1945a7158758d3630578c75b8f17a
-
Filesize
466KB
MD525d7d4d9cb576fbe8312f62a3ca6befc
SHA14067cf680c452e37b247831a73bb8c3c681101de
SHA256bd420aafa950d350801ae2ad331bb23167f94b710f6ef1d0d24b5c0fe76e349c
SHA512c0b0105940b54862f7bf8811e1b1048ae81740d9dd84e3f93f7cc0753841d97fa1e2df27309b36b0952f264d2b9f9ce6d411be2eb4901a54ce72abdb368dbd3b
-
Filesize
385KB
MD5ba8c6938aa6973e5081f48f1d61e2969
SHA15fc84fb8a1052c66c3456b39ff0b2f1ba30bac01
SHA2567893c5e68ff78d76c0b4b8ba5ae2367fa9c285efe520de44ff12498ba90df5b0
SHA5128bd5fd25a81fb51996bfbd07d2da4e4de83da36f2eb964dc9558522b2f5c5c1280f3c84606582cdca54c3d78ff1883b43b7c2f9c9a30b556b11f5c11e8c25ff5