Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 01:14
Static task
static1
Behavioral task
behavioral1
Sample
i4Tools_ns9.9.8.6.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
i4Tools_ns9.9.8.6.msi
Resource
win10v2004-20240802-en
General
-
Target
i4Tools_ns9.9.8.6.msi
-
Size
232.3MB
-
MD5
5cc9c7280b6ac33963bc8160d934541e
-
SHA1
9f33f68852f3fc3e4028de14e54babe1860e9d9b
-
SHA256
8ed36de47fb703e516f63d7db1708dbfac0bc3619024d7769796d7ebeddb3603
-
SHA512
1548167410270a2a25bc75d2d3b2b1c9a3a8b18b56fe545614617c7290d5981d824b913e017a7d31f5ea5948af3a153238b55450b1c0132fb51a6cc491cd8160
-
SSDEEP
6291456:5ME4FlRDcoxNkXSm6CxxRPo8BMvm1LpkABIU:5cFlRDRE/7Pf1Bl
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4636-70-0x000000002BA90000-0x000000002BC4B000-memory.dmp purplefox_rootkit behavioral2/memory/4636-72-0x000000002BA90000-0x000000002BC4B000-memory.dmp purplefox_rootkit behavioral2/memory/4636-73-0x000000002BA90000-0x000000002BC4B000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4636-70-0x000000002BA90000-0x000000002BC4B000-memory.dmp family_gh0strat behavioral2/memory/4636-72-0x000000002BA90000-0x000000002BC4B000-memory.dmp family_gh0strat behavioral2/memory/4636-73-0x000000002BA90000-0x000000002BC4B000-memory.dmp family_gh0strat -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: LyHdRfaUXB12.exe File opened (read-only) \??\O: LyHdRfaUXB12.exe File opened (read-only) \??\T: LyHdRfaUXB12.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: LyHdRfaUXB12.exe File opened (read-only) \??\K: LyHdRfaUXB12.exe File opened (read-only) \??\Q: LyHdRfaUXB12.exe File opened (read-only) \??\S: LyHdRfaUXB12.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: LyHdRfaUXB12.exe File opened (read-only) \??\N: LyHdRfaUXB12.exe File opened (read-only) \??\V: LyHdRfaUXB12.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: LyHdRfaUXB12.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: LyHdRfaUXB12.exe File opened (read-only) \??\X: LyHdRfaUXB12.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: LyHdRfaUXB12.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: LyHdRfaUXB12.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: LyHdRfaUXB12.exe File opened (read-only) \??\M: LyHdRfaUXB12.exe File opened (read-only) \??\Z: LyHdRfaUXB12.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: LyHdRfaUXB12.exe File opened (read-only) \??\U: LyHdRfaUXB12.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\oKzWEzpMpqXX.exe.log oKzWEzpMpqXX.exe -
Drops file in Program Files directory 14 IoCs
description ioc Process File created C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe msiexec.exe File opened for modification C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe PRsFNBCyinrq.exe File opened for modification C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe PRsFNBCyinrq.exe File created C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe PRsFNBCyinrq.exe File opened for modification C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.wrapper.log oKzWEzpMpqXX.exe File opened for modification C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.wrapper.log oKzWEzpMpqXX.exe File created C:\Program Files\GuideDirectorMajestic\WMUoveSFZAOhfUNUDShs msiexec.exe File opened for modification C:\Program Files\GuideDirectorMajestic LyHdRfaUXB12.exe File opened for modification C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.wrapper.log oKzWEzpMpqXX.exe File opened for modification C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.xml PRsFNBCyinrq.exe File created C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe PRsFNBCyinrq.exe File created C:\Program Files\GuideDirectorMajestic\common_clang32.dll msiexec.exe File created C:\Program Files\GuideDirectorMajestic\i4Tools8Setupx64.exe msiexec.exe File created C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.xml PRsFNBCyinrq.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{EB1284F2-8EF2-46B3-A1EF-5EA2CDDB50AF} msiexec.exe File opened for modification C:\Windows\Installer\MSIEF42.tmp msiexec.exe File created C:\Windows\Installer\e57e8ac.msi msiexec.exe File created C:\Windows\Installer\e57e8aa.msi msiexec.exe File opened for modification C:\Windows\Installer\e57e8aa.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 2804 PRsFNBCyinrq.exe 3976 LyHdRfaUXB12.exe 4648 oKzWEzpMpqXX.exe 1624 i4Tools8Setupx64.exe 5000 oKzWEzpMpqXX.exe 1340 oKzWEzpMpqXX.exe 4368 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1040 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PRsFNBCyinrq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LyHdRfaUXB12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language i4Tools8Setupx64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LyHdRfaUXB12.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LyHdRfaUXB12.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000080ecc9f1fa88237c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000080ecc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090080ecc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d80ecc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000080ecc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LyHdRfaUXB12.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz LyHdRfaUXB12.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\ProductName = "GuideDirectorMajestic" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\Version = "50397187" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96406823274B666478EB968B7D40B776\2F4821BE2FE83B641AFEE52ADCBD05FA msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\PackageName = "i4Tools_ns9.9.8.6.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\PackageCode = "959E13194283C7442AFCC13DFA454E3F" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2F4821BE2FE83B641AFEE52ADCBD05FA\ProductFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\96406823274B666478EB968B7D40B776 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2F4821BE2FE83B641AFEE52ADCBD05FA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2F4821BE2FE83B641AFEE52ADCBD05FA\SourceList\Media\1 = ";" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3728 msiexec.exe 3728 msiexec.exe 3976 LyHdRfaUXB12.exe 3976 LyHdRfaUXB12.exe 1624 i4Tools8Setupx64.exe 1624 i4Tools8Setupx64.exe 1340 oKzWEzpMpqXX.exe 1340 oKzWEzpMpqXX.exe 4368 LyHdRfaUXB12.exe 4368 LyHdRfaUXB12.exe 4368 LyHdRfaUXB12.exe 4368 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe 4636 LyHdRfaUXB12.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1040 msiexec.exe Token: SeIncreaseQuotaPrivilege 1040 msiexec.exe Token: SeSecurityPrivilege 3728 msiexec.exe Token: SeCreateTokenPrivilege 1040 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1040 msiexec.exe Token: SeLockMemoryPrivilege 1040 msiexec.exe Token: SeIncreaseQuotaPrivilege 1040 msiexec.exe Token: SeMachineAccountPrivilege 1040 msiexec.exe Token: SeTcbPrivilege 1040 msiexec.exe Token: SeSecurityPrivilege 1040 msiexec.exe Token: SeTakeOwnershipPrivilege 1040 msiexec.exe Token: SeLoadDriverPrivilege 1040 msiexec.exe Token: SeSystemProfilePrivilege 1040 msiexec.exe Token: SeSystemtimePrivilege 1040 msiexec.exe Token: SeProfSingleProcessPrivilege 1040 msiexec.exe Token: SeIncBasePriorityPrivilege 1040 msiexec.exe Token: SeCreatePagefilePrivilege 1040 msiexec.exe Token: SeCreatePermanentPrivilege 1040 msiexec.exe Token: SeBackupPrivilege 1040 msiexec.exe Token: SeRestorePrivilege 1040 msiexec.exe Token: SeShutdownPrivilege 1040 msiexec.exe Token: SeDebugPrivilege 1040 msiexec.exe Token: SeAuditPrivilege 1040 msiexec.exe Token: SeSystemEnvironmentPrivilege 1040 msiexec.exe Token: SeChangeNotifyPrivilege 1040 msiexec.exe Token: SeRemoteShutdownPrivilege 1040 msiexec.exe Token: SeUndockPrivilege 1040 msiexec.exe Token: SeSyncAgentPrivilege 1040 msiexec.exe Token: SeEnableDelegationPrivilege 1040 msiexec.exe Token: SeManageVolumePrivilege 1040 msiexec.exe Token: SeImpersonatePrivilege 1040 msiexec.exe Token: SeCreateGlobalPrivilege 1040 msiexec.exe Token: SeBackupPrivilege 1248 vssvc.exe Token: SeRestorePrivilege 1248 vssvc.exe Token: SeAuditPrivilege 1248 vssvc.exe Token: SeBackupPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeBackupPrivilege 2360 srtasks.exe Token: SeRestorePrivilege 2360 srtasks.exe Token: SeSecurityPrivilege 2360 srtasks.exe Token: SeTakeOwnershipPrivilege 2360 srtasks.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeBackupPrivilege 2360 srtasks.exe Token: SeRestorePrivilege 2360 srtasks.exe Token: SeSecurityPrivilege 2360 srtasks.exe Token: SeTakeOwnershipPrivilege 2360 srtasks.exe Token: SeDebugPrivilege 4648 oKzWEzpMpqXX.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeDebugPrivilege 1624 i4Tools8Setupx64.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe Token: SeTakeOwnershipPrivilege 3728 msiexec.exe Token: SeRestorePrivilege 3728 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1040 msiexec.exe 1040 msiexec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3728 wrote to memory of 2360 3728 msiexec.exe 92 PID 3728 wrote to memory of 2360 3728 msiexec.exe 92 PID 3728 wrote to memory of 1056 3728 msiexec.exe 94 PID 3728 wrote to memory of 1056 3728 msiexec.exe 94 PID 1056 wrote to memory of 2804 1056 MsiExec.exe 95 PID 1056 wrote to memory of 2804 1056 MsiExec.exe 95 PID 1056 wrote to memory of 2804 1056 MsiExec.exe 95 PID 1056 wrote to memory of 3976 1056 MsiExec.exe 99 PID 1056 wrote to memory of 3976 1056 MsiExec.exe 99 PID 1056 wrote to memory of 3976 1056 MsiExec.exe 99 PID 1056 wrote to memory of 1624 1056 MsiExec.exe 100 PID 1056 wrote to memory of 1624 1056 MsiExec.exe 100 PID 1056 wrote to memory of 1624 1056 MsiExec.exe 100 PID 1340 wrote to memory of 4368 1340 oKzWEzpMpqXX.exe 106 PID 1340 wrote to memory of 4368 1340 oKzWEzpMpqXX.exe 106 PID 1340 wrote to memory of 4368 1340 oKzWEzpMpqXX.exe 106 PID 4368 wrote to memory of 4636 4368 LyHdRfaUXB12.exe 107 PID 4368 wrote to memory of 4636 4368 LyHdRfaUXB12.exe 107 PID 4368 wrote to memory of 4636 4368 LyHdRfaUXB12.exe 107 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4Tools_ns9.9.8.6.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1040
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding D5C773870B5B458378D1CF3D3B277750 E Global\MSI00002⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe"C:\Program Files\GuideDirectorMajestic\PRsFNBCyinrq.exe" x "C:\Program Files\GuideDirectorMajestic\WMUoveSFZAOhfUNUDShs" -o"C:\Program Files\GuideDirectorMajestic\" -pUaLIpHJjhMODAzOiylZA -y3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe"C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe" -number 101 -file file3 -mode mode3 -flag flag33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3976
-
-
C:\Program Files\GuideDirectorMajestic\i4Tools8Setupx64.exe"C:\Program Files\GuideDirectorMajestic\i4Tools8Setupx64.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe"C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe" install1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe"C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:5000
-
C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe"C:\Program Files\GuideDirectorMajestic\oKzWEzpMpqXX.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe"C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe" -number 235 -file file3 -mode mode3 -flag flag32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe"C:\Program Files\GuideDirectorMajestic\LyHdRfaUXB12.exe" -number 362 -file file3 -mode mode3 -flag flag33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD52bc2bad928283eacce0c8a5ec4a75495
SHA17b3ea66ffd9dfde8b3cef7e4a1513693a61b8d61
SHA25674e6018b1557db8fbf31e678250028090b339be103cc91e2b51251b30907e800
SHA51296a4a2101ddca6d63202c148e0915eabd9fab94c7950159ea8e8298cce28fbd06224dc305415b936e1093b38265594c027c3d585cbcf9402c2e2beb32a5b50d4
-
Filesize
2.8MB
MD5e274e2b9cafc75fc874aa56a40f2f20b
SHA1be492f85fa47422e0dea88ef38e87670ca698fa4
SHA256d464844275663ca56a44d42a9401af0193f94fc82b559e71d8333926fa304424
SHA51211c482e066678791ba98a8ce1e016aab8ab6a15864d63137f439a445721e3a802095b42e0069677ee7b6892423a3f0bbbfe934ff177866924646053cd799463b
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
Filesize
1.6MB
MD5c2cafebae1a025baabc17b4eeca638f6
SHA11fc8638271ea468e2b2fbe4f5a3502da1fe54207
SHA2565a791f23acbb035e1d05a484eb9bd6d805a3f56464901595193f4f68e1173e47
SHA512659834c96b72d76b4aa7d42463b56db7c9dde4e7c91fd5252f410b3ae01edd6479a6b9a606203f341f5a9acaefd73b65c34ab25c836bbec8dc8b8cb0b8156426
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
264B
MD519e3b0686a4715d437dcab4df5c1be25
SHA12df100e89102da8afa6f9547321b195f2f938378
SHA2560c7a1415a7ae0605e58f133e665043711cf710f7b26dd394d6f4bf77a15c4b3d
SHA512940909777d45bf1c7111d9fd92a2100a36901f3d6550e10ad3a2b9eb6c6b2afaedf502a4cb3e08279911d69fe444a1c547f7ea2a326a7b442e4f22884b61e092
-
Filesize
419B
MD59ee27c6013443759fe2c77492e0e6b35
SHA1c6bb1871f79bae8430b4952d897af42ed6cfe554
SHA2562cbf08b9c6da58d519bce9e244bf8e1a7d36c3450dcbd31b2ab353d903d1dd0c
SHA512f2b58f31ba3b65965921dcda43762f371d5249ebde1788ef25bf52812b1150997e9ce8c7b3433f731f956be42e1396e44a86069cd873f46edefa66c6a2e94450
-
Filesize
483B
MD5ce92307e2d93ef8c74ea098678cbfc73
SHA11e1bf11ff6067bf8409768f79302d79ff8959bd7
SHA256562740415fc41f036a2289f68d4c0ba936c9767b43f2fa9953998846cd8f21b8
SHA5122ca5970750e64203b52796530ec024b7a27b66c6fa00246843104b714a06887c494a30d4b9ded67304878cb5abd35ec5c6ba61ec7bfb0cea8adf93fdbc0a50ec
-
Filesize
771B
MD5d9e28ee2c0c976cae926d8730d48d4af
SHA1e0838ab3322ddb6daf7c614889f6a00b87fba16f
SHA25619b3bc0d72cab5244e65d903bd21cf9ec5f3e46586bebea18e0dfc4a96d419a7
SHA5122a1e47b1074d27f167b8b6b9f23c41095ded39631283c4db3a35dc69c9bd4805008034b66e3d3d70f68f0f78204e6b984e2549d7e30bf9473b86c9e30af0494e
-
Filesize
437B
MD5ad094428e59889aa9e7fa085a65919d7
SHA1e7bcbfe38ba1b1d6619500778fcd8a6b9aa33bce
SHA256bf2e36666aef392d4b333fc82ac5fb1a5f5c24a05cd53043b63c19813f035dab
SHA512b3bec6c438cc382fabccdff98f6922942557ba3d3327f4ea900c6f87436b721ba71185ad4c204b6b380b590f481eb69a8b9f2412d8a4d3d2f613d654828ca324
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\oKzWEzpMpqXX.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
23.7MB
MD5c9da72d19459b6089d2977d6e5adc2e1
SHA1d14e8720750535a0fd6a38c88356d4d907aede8d
SHA2561fc699e9da162c3512586beb03f54b53b85d82aaa73d075112cd25bed4658b29
SHA512568118f8fda67cd4474ed71a635230ee322b89c5fcc90095890270d5045372233a9bc9ced71d22de517f16e16d7b898d393221adf2e325bb0f391a8ac39b73cd
-
\??\Volume{f1c9ec80-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{04083376-ae7e-4a00-b379-f462e9aae433}_OnDiskSnapshotProp
Filesize6KB
MD53db43ae1283945907c2756c467c94e5e
SHA17753ef9493cf3601698a67cbac33d225d30a0eb5
SHA256f59b9892c0f2b1310aa33fb55c98344fc61cad2cc9b18fe8bf530ca858a11526
SHA5124e4f4e18fec60218931cfc8719c8c49d3a274ea410489e564cc6a68131addb1b90bc8f84c6875ade1fa49587c4efc3f7d02256facf07bad2b4c25b456f52047d