gh0strat | b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a

Analysis

max time kernel
150s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a.msi
Size

265.5MB
MD5

ba1524657e23f77a7c91c2e89817dc03
SHA1

5759d61e85d0a6e528f4f0cde621e02d692f8151
SHA256

b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a
SHA512

d096b401ac8cdd86f6b55b44a2946d95bd81be15233952401265201bcd48e0af9f2fe0679964a0862d1046f08f8458dcc24e96f008e9d75675a9f2e059082234
SSDEEP

3145728:CPZHar69MPLkp0/LtpZ+WE5KPLo4xpksqqtPTel5W4XfWymu5nR/8ZM3GZV/ArfC:qZ6r69MYpet/+ZQLoeBJilujY7Ws0qH

Score

10^/10

gh0strat purplefox discovery persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4024-70-0x0000000010000000-0x0000000010199000-memory.dmp	purplefox_rootkit
behavioral2/memory/4024-77-0x0000000000400000-0x0000000001400000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral2/memory/4024-69-0x0000000000400000-0x0000000001400000-memory.dmp	family_gh0strat
behavioral2/memory/4024-70-0x0000000010000000-0x0000000010199000-memory.dmp	family_gh0strat
behavioral2/memory/4024-77-0x0000000000400000-0x0000000001400000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4024-69-0x0000000000400000-0x0000000001400000-memory.dmp	upx
behavioral2/memory/4024-77-0x0000000000400000-0x0000000001400000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\aisizhushou-\aisizhushou-\dzaisizs.exe	msiexec.exe
File created	C:\Program Files (x86)\aisizhushou-\aisizhushou-\i4Tools_v7.98.79_Setup.exe	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1ECF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1FAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e581b82.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D28.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4BF4E074-8EAB-444D-98A4-72D8DE9AB635}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2808.tmp	msiexec.exe
File created	C:\Windows\Installer\e581b84.msi	msiexec.exe
File created	C:\Windows\Installer\e581b82.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4024	dzaisizs.exe

Loads dropped DLL 9 IoCs

pid	Process
1868	MsiExec.exe
1868	MsiExec.exe
1868	MsiExec.exe
1868	MsiExec.exe
1868	MsiExec.exe
2488	MsiExec.exe
2488	MsiExec.exe
2488	MsiExec.exe
1868	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1248	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dzaisizs.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\470E4FB4BAE8D444894A278DEDA96B53\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\PackageCode = "95641163BFAAC2E49B6EE9D7E385965F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\470E4FB4BAE8D444894A278DEDA96B53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\PackageName = "b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\35A369A6BA02B8F4EB1FE568BE878C7E\470E4FB4BAE8D444894A278DEDA96B53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\35A369A6BA02B8F4EB1FE568BE878C7E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\ProductName = "aisizhushou-"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\470E4FB4BAE8D444894A278DEDA96B53	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3172	msiexec.exe
3172	msiexec.exe
4024	dzaisizs.exe
4024	dzaisizs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1248	msiexec.exe
Token: SeSecurityPrivilege	3172	msiexec.exe
Token: SeCreateTokenPrivilege	1248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1248	msiexec.exe
Token: SeLockMemoryPrivilege	1248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1248	msiexec.exe
Token: SeMachineAccountPrivilege	1248	msiexec.exe
Token: SeTcbPrivilege	1248	msiexec.exe
Token: SeSecurityPrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeLoadDriverPrivilege	1248	msiexec.exe
Token: SeSystemProfilePrivilege	1248	msiexec.exe
Token: SeSystemtimePrivilege	1248	msiexec.exe
Token: SeProfSingleProcessPrivilege	1248	msiexec.exe
Token: SeIncBasePriorityPrivilege	1248	msiexec.exe
Token: SeCreatePagefilePrivilege	1248	msiexec.exe
Token: SeCreatePermanentPrivilege	1248	msiexec.exe
Token: SeBackupPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeShutdownPrivilege	1248	msiexec.exe
Token: SeDebugPrivilege	1248	msiexec.exe
Token: SeAuditPrivilege	1248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1248	msiexec.exe
Token: SeChangeNotifyPrivilege	1248	msiexec.exe
Token: SeRemoteShutdownPrivilege	1248	msiexec.exe
Token: SeUndockPrivilege	1248	msiexec.exe
Token: SeSyncAgentPrivilege	1248	msiexec.exe
Token: SeEnableDelegationPrivilege	1248	msiexec.exe
Token: SeManageVolumePrivilege	1248	msiexec.exe
Token: SeImpersonatePrivilege	1248	msiexec.exe
Token: SeCreateGlobalPrivilege	1248	msiexec.exe
Token: SeCreateTokenPrivilege	1248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1248	msiexec.exe
Token: SeLockMemoryPrivilege	1248	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1248	msiexec.exe
Token: SeMachineAccountPrivilege	1248	msiexec.exe
Token: SeTcbPrivilege	1248	msiexec.exe
Token: SeSecurityPrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeLoadDriverPrivilege	1248	msiexec.exe
Token: SeSystemProfilePrivilege	1248	msiexec.exe
Token: SeSystemtimePrivilege	1248	msiexec.exe
Token: SeProfSingleProcessPrivilege	1248	msiexec.exe
Token: SeIncBasePriorityPrivilege	1248	msiexec.exe
Token: SeCreatePagefilePrivilege	1248	msiexec.exe
Token: SeCreatePermanentPrivilege	1248	msiexec.exe
Token: SeBackupPrivilege	1248	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeShutdownPrivilege	1248	msiexec.exe
Token: SeDebugPrivilege	1248	msiexec.exe
Token: SeAuditPrivilege	1248	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1248	msiexec.exe
Token: SeChangeNotifyPrivilege	1248	msiexec.exe
Token: SeRemoteShutdownPrivilege	1248	msiexec.exe
Token: SeUndockPrivilege	1248	msiexec.exe
Token: SeSyncAgentPrivilege	1248	msiexec.exe
Token: SeEnableDelegationPrivilege	1248	msiexec.exe
Token: SeManageVolumePrivilege	1248	msiexec.exe
Token: SeImpersonatePrivilege	1248	msiexec.exe
Token: SeCreateGlobalPrivilege	1248	msiexec.exe
Token: SeCreateTokenPrivilege	1248	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1248	msiexec.exe
Token: SeLockMemoryPrivilege	1248	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1248	msiexec.exe
1248	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4024	dzaisizs.exe
4024	dzaisizs.exe
4024	dzaisizs.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 1868	3172	msiexec.exe	87
PID 3172 wrote to memory of 1868	3172	msiexec.exe	87
PID 3172 wrote to memory of 1868	3172	msiexec.exe	87
PID 3172 wrote to memory of 2576	3172	msiexec.exe	111
PID 3172 wrote to memory of 2576	3172	msiexec.exe	111
PID 3172 wrote to memory of 2488	3172	msiexec.exe	113
PID 3172 wrote to memory of 2488	3172	msiexec.exe	113
PID 3172 wrote to memory of 2488	3172	msiexec.exe	113
PID 1868 wrote to memory of 4024	1868	MsiExec.exe	116
PID 1868 wrote to memory of 4024	1868	MsiExec.exe	116
PID 1868 wrote to memory of 4024	1868	MsiExec.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b1b4a6322037cf898fff9a6d49dcceca4109fa56f8a48b237ec4ebe117d2b58a.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1248

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A83FED5E32581C2292F0A73DAF06248A C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Program Files (x86)\aisizhushou-\aisizhushou-\dzaisizs.exe
    "C:\Program Files (x86)\aisizhushou-\aisizhushou-\dzaisizs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4024
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2576
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4D94C4E0DED203E1E6C85D5CB99181F8
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2488

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581b83.rbs

Filesize
8KB

MD5
2ea9dc6f5bf9aff4cba7f4569a294844

SHA1
fccec31af89dee88666e71227700a7dc8d476ef7

SHA256
c46b9d21d2dabfee81921e954c6105cff2a50fa5e7c05f712da644cf34494c24

SHA512
cc559e20eec41d0a195e65bd69318694cd5bfbeafcab7727a4bd42bac45e86b1259bf2ea0b97ef774c00b219e103daa48d12eadd4269be705112e08a71afab88

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA519.tmp

Filesize
79KB

MD5
9a4968fe67c177850163deafec64d0a6

SHA1
15b3f837c4f066cface8b3535a88523d20e5ca5c

SHA256
441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

SHA512
256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA82A.tmp

Filesize
287KB

MD5
30ee500e69f06a463f668522fc789945

SHA1
c67a201b59ca2388e8ef060de287a678f1fae705

SHA256
849131d9b648070461d0fa90cbf094e3c149643ceab43d0c834b82f48a2ef277

SHA512
87a0b5aa28a426a156041f050ac9abce2d25efc70570a829fce3831827dc2a426ca5a85acf672519c3c88b463dcdfa9f20ccef46f0eb07e8d04c4e0d9673246d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
38c0707a455c1d5beb8e6254991ff1fb

SHA1
a2ad60d9ed04557d1f4fba25dd000879c4f73bcb

SHA256
da5bcdd8c836f9733db4185877b95e2f6e82afd80dc4fc66b93357c95cb089c7

SHA512
3f2121a22f4076bd9764a08583b0ada2bd394133ba7b3242cf6f4b54208287eb1d781cc7bec42291fdcfe08e80f3218469458b61b82383abf137b8389f8bcbad

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ee3c60b9-5579-4895-bb16-b17d8053a992}_OnDiskSnapshotProp

Filesize
6KB

MD5
8e31ec1835ac52082590ad5390838f68

SHA1
2fa5b7659f7a43c424c261199038486e2633cf06

SHA256
cd34c6cf974bcae694a7e988e927d90c822598ba26bcebe919957d655ab44b48

SHA512
74496af13d98115aa2838bc2e2d3c2b69061cb9afa35613dcb0079ef27c9a40912403c89d35b0b73a915bfee2bd3889a00b2da1dda95e01d8f075c35ea4e85a6

Download Submit
memory/4024-69-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4024-70-0x0000000010000000-0x0000000010199000-memory.dmp

Filesize
1.6MB

Download
memory/4024-77-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download