8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tn5250.msi
Size

2.0MB
MD5

df00268606a3e3488d08a5e2cec0c100
SHA1

7f6b44e59134341a7cad154d223a5121de42b5e9
SHA256

8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8
SHA512

9f5cd01d31fcf2616d2384270ccc5d914f071dd7ae5b7ba45a7e605053907db021ba28365e4396aef495373453f2126e884eff6604f5caa93086c994dce4e7ac
SSDEEP

49152:45kVY5AyE3D2aXE739bH/fwmOua7IX9qNGnHt6q+tMp:7Y5AJCWcNbHbOH7ItqN0Htj+

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2468	msiexec.exe
7	2468	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.273	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.274	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.871	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\mtn5250.chm	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\readme.txt	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1047	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1026	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.277	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.285	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.297	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.875	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.037	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.1025	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.280	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.284	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.500	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.278	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.385	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.870	msiexec.exe
File created	C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\license.txt	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{1607BB80-6FC9-4111-96E0-F5BD60334441}\controlPanelIcon.exe	msiexec.exe
File created	C:\Windows\Installer\e58435f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58435d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4467.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1607BB80-6FC9-4111-96E0-F5BD60334441}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI464C.tmp	msiexec.exe
File created	C:\Windows\Installer\{1607BB80-6FC9-4111-96E0-F5BD60334441}\controlPanelIcon.exe	msiexec.exe
File created	C:\Windows\Installer\e58435d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3776	tn5250.exe

Loads dropped DLL 4 IoCs

pid	Process
4564	MsiExec.exe
4564	MsiExec.exe
4564	MsiExec.exe
3856	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2468	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA965DEA46E0C94DBEB74AA1A71BD6E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\EFA965DEA46E0C94DBEB74AA1A71BD6E\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\ProductIcon = "C:\\Windows\\Installer\\{1607BB80-6FC9-4111-96E0-F5BD60334441}\\controlPanelIcon.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\PackageName = "tn5250.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08BB70619CF61114690E5FDB06334414	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\ProductName = "Mocha TN5250 for Windows 7/8/10/11"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Version = "67174400"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\08BB70619CF61114690E5FDB06334414\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\PackageCode = "3659D57DB5B13764D96BE8F330FF495D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\08BB70619CF61114690E5FDB06334414	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3672	msiexec.exe
3672	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2468	msiexec.exe
Token: SeSecurityPrivilege	3672	msiexec.exe
Token: SeCreateTokenPrivilege	2468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2468	msiexec.exe
Token: SeLockMemoryPrivilege	2468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2468	msiexec.exe
Token: SeMachineAccountPrivilege	2468	msiexec.exe
Token: SeTcbPrivilege	2468	msiexec.exe
Token: SeSecurityPrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeLoadDriverPrivilege	2468	msiexec.exe
Token: SeSystemProfilePrivilege	2468	msiexec.exe
Token: SeSystemtimePrivilege	2468	msiexec.exe
Token: SeProfSingleProcessPrivilege	2468	msiexec.exe
Token: SeIncBasePriorityPrivilege	2468	msiexec.exe
Token: SeCreatePagefilePrivilege	2468	msiexec.exe
Token: SeCreatePermanentPrivilege	2468	msiexec.exe
Token: SeBackupPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeShutdownPrivilege	2468	msiexec.exe
Token: SeDebugPrivilege	2468	msiexec.exe
Token: SeAuditPrivilege	2468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2468	msiexec.exe
Token: SeChangeNotifyPrivilege	2468	msiexec.exe
Token: SeRemoteShutdownPrivilege	2468	msiexec.exe
Token: SeUndockPrivilege	2468	msiexec.exe
Token: SeSyncAgentPrivilege	2468	msiexec.exe
Token: SeEnableDelegationPrivilege	2468	msiexec.exe
Token: SeManageVolumePrivilege	2468	msiexec.exe
Token: SeImpersonatePrivilege	2468	msiexec.exe
Token: SeCreateGlobalPrivilege	2468	msiexec.exe
Token: SeCreateTokenPrivilege	2468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2468	msiexec.exe
Token: SeLockMemoryPrivilege	2468	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2468	msiexec.exe
Token: SeMachineAccountPrivilege	2468	msiexec.exe
Token: SeTcbPrivilege	2468	msiexec.exe
Token: SeSecurityPrivilege	2468	msiexec.exe
Token: SeTakeOwnershipPrivilege	2468	msiexec.exe
Token: SeLoadDriverPrivilege	2468	msiexec.exe
Token: SeSystemProfilePrivilege	2468	msiexec.exe
Token: SeSystemtimePrivilege	2468	msiexec.exe
Token: SeProfSingleProcessPrivilege	2468	msiexec.exe
Token: SeIncBasePriorityPrivilege	2468	msiexec.exe
Token: SeCreatePagefilePrivilege	2468	msiexec.exe
Token: SeCreatePermanentPrivilege	2468	msiexec.exe
Token: SeBackupPrivilege	2468	msiexec.exe
Token: SeRestorePrivilege	2468	msiexec.exe
Token: SeShutdownPrivilege	2468	msiexec.exe
Token: SeDebugPrivilege	2468	msiexec.exe
Token: SeAuditPrivilege	2468	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2468	msiexec.exe
Token: SeChangeNotifyPrivilege	2468	msiexec.exe
Token: SeRemoteShutdownPrivilege	2468	msiexec.exe
Token: SeUndockPrivilege	2468	msiexec.exe
Token: SeSyncAgentPrivilege	2468	msiexec.exe
Token: SeEnableDelegationPrivilege	2468	msiexec.exe
Token: SeManageVolumePrivilege	2468	msiexec.exe
Token: SeImpersonatePrivilege	2468	msiexec.exe
Token: SeCreateGlobalPrivilege	2468	msiexec.exe
Token: SeCreateTokenPrivilege	2468	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2468	msiexec.exe
Token: SeLockMemoryPrivilege	2468	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2468	msiexec.exe
2468	msiexec.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4564	3672	msiexec.exe	85
PID 3672 wrote to memory of 4564	3672	msiexec.exe	85
PID 3672 wrote to memory of 4564	3672	msiexec.exe	85
PID 3672 wrote to memory of 1440	3672	msiexec.exe	109
PID 3672 wrote to memory of 1440	3672	msiexec.exe	109
PID 3672 wrote to memory of 3856	3672	msiexec.exe	111
PID 3672 wrote to memory of 3856	3672	msiexec.exe	111
PID 3672 wrote to memory of 3856	3672	msiexec.exe	111
PID 3672 wrote to memory of 3776	3672	msiexec.exe	112
PID 3672 wrote to memory of 3776	3672	msiexec.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tn5250.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2468

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 38D796950122B7B748779D748E7A9C11 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4564
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1440
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9B46CC85536D06470E23B203F16FA4A9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3856
- C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe
  "C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe" /Zempty
  2⤵
  - Executes dropped EXE
  PID:3776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58435e.rbs

Filesize
9KB

MD5
4ac52ced08f2c32d0fe883eafbc8e06a

SHA1
73fb8e83c55074068ed7cbc4dde9742fd5736491

SHA256
249bc55cfc41fcf9592c9ffd1593488bf0ba5c7bfaec3aadea0dd6aadd508505

SHA512
c72fb1e934f2d38b79ee4db15498a5e3368dbf0a77c3f73a58b38b4896e7d3fd3214927e17a749496235ceb58d8c353238f4be4c48653e9f4ade87a76c5d29ce

Download Submit
C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\ebcdic.037

Filesize
1KB

MD5
2ca9f116991aeec0ce11adff1de2b9ed

SHA1
905a22af314da7d0df6545637d380d2f2d44505c

SHA256
574e41811a7aee269b6e1ea19296af65056ffdc6229a52cec380ecc2ef64dd56

SHA512
38a6a25ac7eb8d61b3ff05095771b8382c355cb82de1213f86030f683f97d6b4b7e2403deab2c0a3117a9509a445494bb70167add6fd01caa3eb11b53da55be3

Download Submit
C:\Program Files (x86)\MochaSoft\Mocha TN5250 for Vista\tn5250.exe

Filesize
3.1MB

MD5
85834905af2f859fa3c353bc8874553a

SHA1
ffe5f2790d1c90124d64b7d3a793a8aa7cf7e67f

SHA256
3a49ea560bd9f82d3bdcb4136ea501387f5682b19a54f0d17bb0a01dec5698be

SHA512
f48643dda6894674b477fe9dadf22a3894e80b07f656fa9eb52be0caf291a2d932b9886685ec924e262dfc2a2220a7976a64dc228a52a27f059ce98cd2824658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
4302ac33571a665623f83caa83e9d7b7

SHA1
38e4b1f7626af38f558f00b7585a8821a3ef371e

SHA256
85d864fdf43320e3535ad37f3d946a3bd648df66622cbbcb079b976abfa7ff41

SHA512
cc7530d96b6cf2d390a660fccd64170b6a32fb4ed777f3369ef92180abcaabfd94f74ba0ba8730084510fdeb42ded2a9b799d14c787424d3d11d2f2043642c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_EC420DCD3BBF75F74A9D9E7363E1AE4E

Filesize
727B

MD5
eb97e7442e3aca7df31cd380b08f116d

SHA1
de22b89accd3bbc77c90a7936e9906375747a0a8

SHA256
5d5d3bee2e0d17984505a32cf4f74e9980d046d0728e30bdf1fd30943284b175

SHA512
ee6435c20362e950c0614100f3a4869d86393a297d2be38f23caeec22607b886d077f0b3da3898a0564952e829447d448e5651e62c70be87835823082a0ee1eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
2234a2da0c7ba427c516a7ba532be7f4

SHA1
71bbac1f00303abebe6b8ee9f8cb1ec3f72e1e83

SHA256
a7c433170beb0d6d06d2b3e12790688c320e911d1217ec0eb90c6d46a28a5abb

SHA512
fdf3757943c042323652f78bb3135032c7268f61d6ec11317316768cde45527846de1e2c4bdeac2add5ccc8fa1548a8a53c514573eb07637669380e4d493790d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
6ce8890e8893b5518790c4c51ffa20c4

SHA1
a1c913fea365ce2cb2c1d6b416820a86cb16f1f2

SHA256
b7a5f4b72e5431de4ca9b1ca7e06b6cd0c2b2d2b8c23230b605ad178fc924505

SHA512
faf23804a8e307bb6100a6f0783c166b21395e3cbee14c864cd0f72c332ac0c0507a7f5824b76d54114e008a73e77445ce10b218f90a9e2be5c84f2f6747381b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_EC420DCD3BBF75F74A9D9E7363E1AE4E

Filesize
404B

MD5
2eed9d19118abedf3622c48bb8620596

SHA1
55eddfbd5b281b2e9702ec5a2e2302a5f32f4872

SHA256
8629f7edcdbf012291c89993c1ffd26c078170c1bae27323f502ef49624fcff5

SHA512
b47966889f6263a06398d9d04d61c8a62245eeebdf34da2b1e14523eacd5be812624cc3819f482022cba8f6da44eecf2a2675d500729d8748fa5b5901b77366c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
63d4bf24d270641f4055ef4480707977

SHA1
119a813366f5a8324db89917fe615cc5a8f3f97b

SHA256
83435f4adc565d8786f39ea566a16a9a187d7610d67e7304402314c7dcec46d1

SHA512
1c55c06d129187fad50fbf24cadd4117560f810ddf684402054f456bd2f0fbf1e848f73b71bc6a12cc6a4b41a3059029611ee62e503e4c2b963778f6b3eea456

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA5C5.tmp

Filesize
89KB

MD5
b051a3c68dcbf9e5b506aed6b0ef0ca8

SHA1
37c4a9c43b6b583b77fa750991a90cf36bcb17be

SHA256
91a0d1ba2a6f0c0999b85c1f9abae8487f0274020fbe1cb86c9b4e009861521c

SHA512
749450815c37d688935e460a95693245ea4a3cd5176d3eefee0556ca77d73465cb5f7344a2c4637b90c8f379419a1969793f9c106602c2c25bb65a7f6b4a543a

Download Submit
C:\Windows\Installer\e58435d.msi

Filesize
2.0MB

MD5
df00268606a3e3488d08a5e2cec0c100

SHA1
7f6b44e59134341a7cad154d223a5121de42b5e9

SHA256
8bd1afd65268e5d9e416d830b8d370d8a8956824a8293b3b372d7fa051e982c8

SHA512
9f5cd01d31fcf2616d2384270ccc5d914f071dd7ae5b7ba45a7e605053907db021ba28365e4396aef495373453f2126e884eff6604f5caa93086c994dce4e7ac

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
e184348f3761eaf0099d6aff77ef1c64

SHA1
d4f79a6f314224ac1eabd9bc49630c983afa3a4f

SHA256
2b051b8dbe2ea3a0cac8aa030c9381bab87c15ec9bbfde2eb8120ac876dad471

SHA512
5aeb073fca3f71579f35dfc4fd4552d98fc27d9283cadc603b75776ca2d66dc40824675b3e3b6bae6173acd76c7458ff6dc460b2917d171e88a59a8ee49eb5a8

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b062ad8c-86a5-43b7-9304-caf9804fb5e9}_OnDiskSnapshotProp

Filesize
6KB

MD5
2802990cd575b55aa3896fbf88185d58

SHA1
a79c0727a577ff869dee1a7a5e73213f49dd3dec

SHA256
02fe730c362ebbb10ae3666bf53654313767c72f98dc137621c93d55a669e812

SHA512
729e0f1136030d260e74523ad71e149f6d31fe077079bd35c426e41f29f5415e5d0222948f522f53c6f042847945f6cae0c649e7e417bf0e18a3800b87b5f3ce

Download Submit
memory/3776-81-0x0000021F959E0000-0x0000021F95D04000-memory.dmp

Filesize
3.1MB

Download