8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tn5250.msi
Size

2.0MB
MD5

df00268606a3e3488d08a5e2cec0c100
SHA1

7f6b44e59134341a7cad154d223a5121de42b5e9
SHA256

8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8
SHA512

9f5cd01d31fcf2616d2384270ccc5d914f071dd7ae5b7ba45a7e605053907db021ba28365e4396aef495373453f2126e884eff6604f5caa93086c994dce4e7ac
SSDEEP

49152:45kVY5AyE3D2aXE739bH/fwmOua7IX9qNGnHt6q+tMp:7Y5AJCWcNbHbOH7ItqN0Htj+

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	644	msiexec.exe
6	644	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1025	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.277	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.284	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.385	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.870	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\license.txt	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1047	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.037	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.274	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.278	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.280	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.500	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.273	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.297	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.875	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\mtn5250.chm	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1026	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.285	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.871	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58491c.msi	msiexec.exe
File created	C:\Windows\Installer\e58491a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58491a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{1607BB80-6FC9-4111-96E0-F5BD60334441}\controlPanelIcon.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A04.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1607BB80-6FC9-4111-96E0-F5BD60334441}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BCA.tmp	msiexec.exe
File created	C:\Windows\Installer\{1607BB80-6FC9-4111-96E0-F5BD60334441}\controlPanelIcon.exe	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	tn5250.exe

Loads dropped DLL 4 IoCs

pid	Process
3688	MsiExec.exe
3688	MsiExec.exe
3688	MsiExec.exe
3332	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
644	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\ProductName = "Mocha TN5250 for Windows 7/8/10/11"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\ProductIcon = "C:\\Windows\\Installer\\{1607BB80-6FC9-4111-96E0-F5BD60334441}\\controlPanelIcon.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA965DEA46E0C94DBEB74AA1A71BD6E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA965DEA46E0C94DBEB74AA1A71BD6E\08BB70619CF61114690E5FDB06334414	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08BB70619CF61114690E5FDB06334414\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\PackageName = "tn5250.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Version = "67174400"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\PackageCode = "3659D57DB5B13764D96BE8F330FF495D"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4284	msiexec.exe
4284	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	644	msiexec.exe
Token: SeSecurityPrivilege	4284	msiexec.exe
Token: SeCreateTokenPrivilege	644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	644	msiexec.exe
Token: SeLockMemoryPrivilege	644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	644	msiexec.exe
Token: SeMachineAccountPrivilege	644	msiexec.exe
Token: SeTcbPrivilege	644	msiexec.exe
Token: SeSecurityPrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeLoadDriverPrivilege	644	msiexec.exe
Token: SeSystemProfilePrivilege	644	msiexec.exe
Token: SeSystemtimePrivilege	644	msiexec.exe
Token: SeProfSingleProcessPrivilege	644	msiexec.exe
Token: SeIncBasePriorityPrivilege	644	msiexec.exe
Token: SeCreatePagefilePrivilege	644	msiexec.exe
Token: SeCreatePermanentPrivilege	644	msiexec.exe
Token: SeBackupPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeShutdownPrivilege	644	msiexec.exe
Token: SeDebugPrivilege	644	msiexec.exe
Token: SeAuditPrivilege	644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	644	msiexec.exe
Token: SeChangeNotifyPrivilege	644	msiexec.exe
Token: SeRemoteShutdownPrivilege	644	msiexec.exe
Token: SeUndockPrivilege	644	msiexec.exe
Token: SeSyncAgentPrivilege	644	msiexec.exe
Token: SeEnableDelegationPrivilege	644	msiexec.exe
Token: SeManageVolumePrivilege	644	msiexec.exe
Token: SeImpersonatePrivilege	644	msiexec.exe
Token: SeCreateGlobalPrivilege	644	msiexec.exe
Token: SeCreateTokenPrivilege	644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	644	msiexec.exe
Token: SeLockMemoryPrivilege	644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	644	msiexec.exe
Token: SeMachineAccountPrivilege	644	msiexec.exe
Token: SeTcbPrivilege	644	msiexec.exe
Token: SeSecurityPrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeLoadDriverPrivilege	644	msiexec.exe
Token: SeSystemProfilePrivilege	644	msiexec.exe
Token: SeSystemtimePrivilege	644	msiexec.exe
Token: SeProfSingleProcessPrivilege	644	msiexec.exe
Token: SeIncBasePriorityPrivilege	644	msiexec.exe
Token: SeCreatePagefilePrivilege	644	msiexec.exe
Token: SeCreatePermanentPrivilege	644	msiexec.exe
Token: SeBackupPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeShutdownPrivilege	644	msiexec.exe
Token: SeDebugPrivilege	644	msiexec.exe
Token: SeAuditPrivilege	644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	644	msiexec.exe
Token: SeChangeNotifyPrivilege	644	msiexec.exe
Token: SeRemoteShutdownPrivilege	644	msiexec.exe
Token: SeUndockPrivilege	644	msiexec.exe
Token: SeSyncAgentPrivilege	644	msiexec.exe
Token: SeEnableDelegationPrivilege	644	msiexec.exe
Token: SeManageVolumePrivilege	644	msiexec.exe
Token: SeImpersonatePrivilege	644	msiexec.exe
Token: SeCreateGlobalPrivilege	644	msiexec.exe
Token: SeCreateTokenPrivilege	644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	644	msiexec.exe
Token: SeLockMemoryPrivilege	644	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
644	msiexec.exe
644	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3688	4284	msiexec.exe	88
PID 4284 wrote to memory of 3688	4284	msiexec.exe	88
PID 4284 wrote to memory of 3688	4284	msiexec.exe	88
PID 4284 wrote to memory of 1404	4284	msiexec.exe	111
PID 4284 wrote to memory of 1404	4284	msiexec.exe	111
PID 4284 wrote to memory of 3332	4284	msiexec.exe	113
PID 4284 wrote to memory of 3332	4284	msiexec.exe	113
PID 4284 wrote to memory of 3332	4284	msiexec.exe	113
PID 4284 wrote to memory of 2200	4284	msiexec.exe	114
PID 4284 wrote to memory of 2200	4284	msiexec.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tn5250.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F03961A864CE0AF446EEF47014639DA7 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3688
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1404
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E79E8DBF0620219AFC0C6A2BEF7DBD12
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe
  "C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe" /Zempty
  2⤵
  - Executes dropped EXE
  PID:2200

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58491b.rbs

Filesize
9KB

MD5
5ecaee84fd70845cd979ea9eb072d070

SHA1
029965a72ba3afadcfea01fdf1721018f89b384a

SHA256
d16748a05e33a9075a8ea83cc155d82d3b4a4bbdde4d1064806aed90c3729d8c

SHA512
2fcd1e06d45085fa4ac0b21b942d30bab1fbcb5981b48ae393fef138b56ea59cbe90d586bf1d11a0121a1f946a2b282a0d7bfd06d800d98ca066735751906954

Download Submit
C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.037

Filesize
1KB

MD5
2ca9f116991aeec0ce11adff1de2b9ed

SHA1
905a22af314da7d0df6545637d380d2f2d44505c

SHA256
574e41811a7aee269b6e1ea19296af65056ffdc6229a52cec380ecc2ef64dd56

SHA512
38a6a25ac7eb8d61b3ff05095771b8382c355cb82de1213f86030f683f97d6b4b7e2403deab2c0a3117a9509a445494bb70167add6fd01caa3eb11b53da55be3

Download Submit
C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe

Filesize
3.1MB

MD5
85834905af2f859fa3c353bc8874553a

SHA1
ffe5f2790d1c90124d64b7d3a793a8aa7cf7e67f

SHA256
3a49ea560bd9f82d3bdcb4136ea501387f5682b19a54f0d17bb0a01dec5698be

SHA512
f48643dda6894674b477fe9dadf22a3894e80b07f656fa9eb52be0caf291a2d932b9886685ec924e262dfc2a2220a7976a64dc228a52a27f059ce98cd2824658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4302ac33571a665623f83caa83e9d7b7

SHA1
38e4b1f7626af38f558f00b7585a8821a3ef371e

SHA256
85d864fdf43320e3535ad37f3d946a3bd648df66622cbbcb079b976abfa7ff41

SHA512
cc7530d96b6cf2d390a660fccd64170b6a32fb4ed777f3369ef92180abcaabfd94f74ba0ba8730084510fdeb42ded2a9b799d14c787424d3d11d2f2043642c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_EC420DCD3BBF75F74A9D9E7363E1AE4E

Filesize
727B

MD5
4f8791861a7f914ba42a43db2cf3683c

SHA1
cfec212ec8dbeed485b4f69913b0fe8ada624478

SHA256
5134b71f9c4d800a4c1bb6d3a97bbfba6c91832a87df74f2a8d3d4f07f25052e

SHA512
564047e80b872e77a8d59eb942f162fb20abfce7d48ed321d6412d61ff7a874a1e1abb58c49357ed1bb7f28449436732d708dad607a38679361acf5844ef1892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
c5325af001c52aca934eadbea6e052bf

SHA1
6874523550ed5a89d37835fc468701b7f5375d40

SHA256
9040f3f40aa15886f4ef60141b67e96542ac690a8fd9c9b4d52bdb0cf1b4c773

SHA512
ef90d907375d2dedaa619bff669eb4dc16862a7fb16b4e73cc92b98792e19e6389c500aacb58dfdf4d7f71cf07367d00422f754766c433035e6becc475ed89db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
f4701c8be57634bd58c8431e2877d0d6

SHA1
9138bc285ff04dc4935c64e7c130a180be7c454b

SHA256
51c998998a7c7cab675114145e57bae3d0e32d1dc778778b076ee74fd8b3c689

SHA512
f20687698a4424b45fd868335c89607767ac7fd78df1bef762faec2f793c24a49da8c4f825d30eb54f2c1f84e8166d01c47c9e88e24b80003905d4a72782f421

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_EC420DCD3BBF75F74A9D9E7363E1AE4E

Filesize
404B

MD5
00ba4934fd5cccae72b4fda9af13c1dc

SHA1
8045ab5995ec21431b842b27d6fd3245ca3fad82

SHA256
eec5a50d144749e33b664cdbe5ab6e83b4a091f7c31f1b206ae9aa2b691179a4

SHA512
334b5a2f71c8eaec5a475855f543072aab4708faf91552c48e88271e7114678fff50afd952702e13137eb30bfa3f09e9fa7a69acd84ec03d8981da5db24f4ff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
93622736443597e922d2dfdb62a79880

SHA1
e5f00f4d38dd3482246c35fdec39f011763f8a24

SHA256
d3bd54d22bb44c099e85084cb2f44a7fcbf96aa9e5646c495ad17383d561fc6d

SHA512
847f47e81490a8e909073994c0fe387af82297ef6535fdd1b56ec72f7282245042815611bc3fc1f41c006892f64f2c20c22814953f7967633f7aa30e6f1b2df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA78A.tmp

Filesize
89KB

MD5
b051a3c68dcbf9e5b506aed6b0ef0ca8

SHA1
37c4a9c43b6b583b77fa750991a90cf36bcb17be

SHA256
91a0d1ba2a6f0c0999b85c1f9abae8487f0274020fbe1cb86c9b4e009861521c

SHA512
749450815c37d688935e460a95693245ea4a3cd5176d3eefee0556ca77d73465cb5f7344a2c4637b90c8f379419a1969793f9c106602c2c25bb65a7f6b4a543a

Download Submit
C:\Windows\Installer\e58491a.msi

Filesize
2.0MB

MD5
df00268606a3e3488d08a5e2cec0c100

SHA1
7f6b44e59134341a7cad154d223a5121de42b5e9

SHA256
8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8

SHA512
9f5cd01d31fcf2616d2384270ccc5d914f071dd7ae5b7ba45a7e605053907db021ba28365e4396aef495373453f2126e884eff6604f5caa93086c994dce4e7ac

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
e83d6684c546e523a5669889c77b38fb

SHA1
f35fc48935997e0728e229eab3a00b8a5c060fce

SHA256
42197e36619bd4bd26991d355e1fc57cbb90ef8e0eaf2c237ca188f7afa890f2

SHA512
8d26f749d4c1f4eda46d90a9349d127ace46f2223604b2e60560adfd89159c3e1e7dec6cf7822f0553857e7fa4a4f71e35bb058b73c7c5364fd5a9c5c1e031cc

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{33582684-5aa8-45d4-8e93-10e0864bbd64}_OnDiskSnapshotProp

Filesize
6KB

MD5
6b75e24a6d706dbb16a349ba2411b26e

SHA1
ef0a331fc18f6b48418b39818f6e1ff01e19eef8

SHA256
f5831f3ba7916af9cc8cf80d52d961cecc540e9cd422bbb6d001027173177b71

SHA512
c67cf5b6d372758203c9dac6ade6056b971672d93376893ee2f3fbf1cf151ab40fc79cd9240ca6d26fc8381a0ab301255ad538065868fbebaa73812f85f5b8d9

Download Submit
memory/2200-79-0x0000019A746D0000-0x0000019A749F4000-memory.dmp

Filesize
3.1MB

Download