7e80a38c47a1457a35567f30a7ea515248ca391ae3d9deec48b31868af7315b0

Analysis

max time kernel
150s
max time network
120s
platform
windows10_x64
resource
win10v20210410
submitted
24-05-2021 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tightvnc-2.8.59-gpl-setup-64bit.msi
Size

2.4MB
MD5

a85259eec8742fdd4acffcdac54cd930
SHA1

696204de2e5688356bc01bae037c3b955432acdd
SHA256

7e80a38c47a1457a35567f30a7ea515248ca391ae3d9deec48b31868af7315b0
SHA512

1b2fd5b8e723c69250d6dfe2c24bbaa80b1a8d050c4d8ca24a2e92cc7f5d284bbac711e452f727c2ce12293ccbf7a4e005f3795015626d4a20f20c49f977a6b6

Score

8^/10

persistence

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exe

flow pid process

7 512 msiexec.exe
9 512 msiexec.exe
12 512 msiexec.exe
14 512 msiexec.exe
16 512 msiexec.exe
Executes dropped EXE 6 IoCs

Processes:

tvnserver.exetvnserver.exetvnserver.exetvnserver.exetvnserver.exetvnserver.exe

pid process

4480 tvnserver.exe
4512 tvnserver.exe
4536 tvnserver.exe
4684 tvnserver.exe
4732 tvnserver.exe
5012 tvnserver.exe
Loads dropped DLL 8 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid process

2716 MsiExec.exe
4124 MsiExec.exe
4204 MsiExec.exe
4204 MsiExec.exe
4124 MsiExec.exe
4304 MsiExec.exe
4364 MsiExec.exe
4364 MsiExec.exe

flow	pid	process
7	512	msiexec.exe
9	512	msiexec.exe
12	512	msiexec.exe
14	512	msiexec.exe
16	512	msiexec.exe

pid	process
4480	tvnserver.exe
4512	tvnserver.exe
4536	tvnserver.exe
4684	tvnserver.exe
4732	tvnserver.exe
5012	tvnserver.exe

pid	process
2716	MsiExec.exe
4124	MsiExec.exe
4204	MsiExec.exe
4204	MsiExec.exe
4124	MsiExec.exe
4304	MsiExec.exe
4364	MsiExec.exe
4364	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tvnserver.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tvncontrol = "\"C:\\Program Files\\TightVNC\\tvnserver.exe\" -controlservice -slave"	tvnserver.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 7 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\TightVNC\tvnviewer.exe	msiexec.exe
File created	C:\Program Files\TightVNC\LICENSE.txt	msiexec.exe
File created	C:\Program Files\TightVNC\screenhooks32.dll	msiexec.exe
File created	C:\Program Files\TightVNC\screenhooks64.dll	msiexec.exe
File created	C:\Program Files\TightVNC\hookldr.exe	msiexec.exe
File created	C:\Program Files\TightVNC\tvnserver.exe	msiexec.exe
File created	C:\Program Files\TightVNC\TightVNC Web Site.url	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f746835.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6CAD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\tvnserver.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6EA4.tmp	msiexec.exe
File created	C:\Windows\Installer\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\tvnserver.ico	msiexec.exe
File created	C:\Windows\Installer\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\viewer.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI71D2.tmp	msiexec.exe
File created	C:\Windows\Installer\f746835.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\viewer.ico	msiexec.exe
File created	C:\Windows\Installer\f746837.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A4A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6B64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6D89.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70A9.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

MsiExec.exemsiexec.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe

Modifies registry class 37 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\DefaultIcon\ = "C:\\Program Files\\TightVNC\\tvnviewer.exe,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4497C60E20ECBFF478FEE0D972C8E6CB\Server = "TightVNC"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vnc\ = "VncViewer.Config"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\ProductName = "TightVNC"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VncViewer.Config	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VncViewer.Config\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\ProductIcon = "C:\\Windows\\Installer\\{E06C7944-CE02-4FFB-87EF-0E9D278C6EBC}\\tvnserver.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0B272F1B74B50F64A92F07E546BEA196\4497C60E20ECBFF478FEE0D972C8E6CB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\PackageName = "tightvnc-2.8.59-gpl-setup-64bit.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.vnc	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4497C60E20ECBFF478FEE0D972C8E6CB\Viewer = "TightVNC"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\PackageCode = "F6E2AA17AEC1C9A4890844775A302547"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\ = "VNCviewer Config File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\Version = "34078779"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VncViewer.Config\shell\open\command\ = "\"C:\\Program Files\\TightVNC\\tvnviewer.exe\" -optionsfile=\"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4497C60E20ECBFF478FEE0D972C8E6CB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0B272F1B74B50F64A92F07E546BEA196	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4497C60E20ECBFF478FEE0D972C8E6CB\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\VncViewer.Config\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4497C60E20ECBFF478FEE0D972C8E6CB\TightVNC	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1788 msiexec.exe
1788 msiexec.exe

pid	process
1788	msiexec.exe
1788	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	512	msiexec.exe
Token: SeSecurityPrivilege	1788	msiexec.exe
Token: SeCreateTokenPrivilege	512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	512	msiexec.exe
Token: SeLockMemoryPrivilege	512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	512	msiexec.exe
Token: SeMachineAccountPrivilege	512	msiexec.exe
Token: SeTcbPrivilege	512	msiexec.exe
Token: SeSecurityPrivilege	512	msiexec.exe
Token: SeTakeOwnershipPrivilege	512	msiexec.exe
Token: SeLoadDriverPrivilege	512	msiexec.exe
Token: SeSystemProfilePrivilege	512	msiexec.exe
Token: SeSystemtimePrivilege	512	msiexec.exe
Token: SeProfSingleProcessPrivilege	512	msiexec.exe
Token: SeIncBasePriorityPrivilege	512	msiexec.exe
Token: SeCreatePagefilePrivilege	512	msiexec.exe
Token: SeCreatePermanentPrivilege	512	msiexec.exe
Token: SeBackupPrivilege	512	msiexec.exe
Token: SeRestorePrivilege	512	msiexec.exe
Token: SeShutdownPrivilege	512	msiexec.exe
Token: SeDebugPrivilege	512	msiexec.exe
Token: SeAuditPrivilege	512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	512	msiexec.exe
Token: SeChangeNotifyPrivilege	512	msiexec.exe
Token: SeRemoteShutdownPrivilege	512	msiexec.exe
Token: SeUndockPrivilege	512	msiexec.exe
Token: SeSyncAgentPrivilege	512	msiexec.exe
Token: SeEnableDelegationPrivilege	512	msiexec.exe
Token: SeManageVolumePrivilege	512	msiexec.exe
Token: SeImpersonatePrivilege	512	msiexec.exe
Token: SeCreateGlobalPrivilege	512	msiexec.exe
Token: SeCreateTokenPrivilege	512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	512	msiexec.exe
Token: SeLockMemoryPrivilege	512	msiexec.exe
Token: SeIncreaseQuotaPrivilege	512	msiexec.exe
Token: SeMachineAccountPrivilege	512	msiexec.exe
Token: SeTcbPrivilege	512	msiexec.exe
Token: SeSecurityPrivilege	512	msiexec.exe
Token: SeTakeOwnershipPrivilege	512	msiexec.exe
Token: SeLoadDriverPrivilege	512	msiexec.exe
Token: SeSystemProfilePrivilege	512	msiexec.exe
Token: SeSystemtimePrivilege	512	msiexec.exe
Token: SeProfSingleProcessPrivilege	512	msiexec.exe
Token: SeIncBasePriorityPrivilege	512	msiexec.exe
Token: SeCreatePagefilePrivilege	512	msiexec.exe
Token: SeCreatePermanentPrivilege	512	msiexec.exe
Token: SeBackupPrivilege	512	msiexec.exe
Token: SeRestorePrivilege	512	msiexec.exe
Token: SeShutdownPrivilege	512	msiexec.exe
Token: SeDebugPrivilege	512	msiexec.exe
Token: SeAuditPrivilege	512	msiexec.exe
Token: SeSystemEnvironmentPrivilege	512	msiexec.exe
Token: SeChangeNotifyPrivilege	512	msiexec.exe
Token: SeRemoteShutdownPrivilege	512	msiexec.exe
Token: SeUndockPrivilege	512	msiexec.exe
Token: SeSyncAgentPrivilege	512	msiexec.exe
Token: SeEnableDelegationPrivilege	512	msiexec.exe
Token: SeManageVolumePrivilege	512	msiexec.exe
Token: SeImpersonatePrivilege	512	msiexec.exe
Token: SeCreateGlobalPrivilege	512	msiexec.exe
Token: SeCreateTokenPrivilege	512	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	512	msiexec.exe
Token: SeLockMemoryPrivilege	512	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msiexec.exetvnserver.exe

pid	process
512	msiexec.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

tvnserver.exe

pid	process
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe
4684	tvnserver.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

msiexec.exetvnserver.exetvnserver.exe

description	pid	process	target process
PID 1788 wrote to memory of 2716	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 2716	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 2716	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 3572	1788	msiexec.exe	srtasks.exe
PID 1788 wrote to memory of 3572	1788	msiexec.exe	srtasks.exe
PID 1788 wrote to memory of 4124	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4124	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4204	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4204	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4204	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4304	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4304	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4304	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4364	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4364	1788	msiexec.exe	MsiExec.exe
PID 1788 wrote to memory of 4480	1788	msiexec.exe	tvnserver.exe
PID 1788 wrote to memory of 4480	1788	msiexec.exe	tvnserver.exe
PID 1788 wrote to memory of 4512	1788	msiexec.exe	tvnserver.exe
PID 1788 wrote to memory of 4512	1788	msiexec.exe	tvnserver.exe
PID 4512 wrote to memory of 4684	4512	tvnserver.exe	tvnserver.exe
PID 4512 wrote to memory of 4684	4512	tvnserver.exe	tvnserver.exe
PID 1788 wrote to memory of 4732	1788	msiexec.exe	tvnserver.exe
PID 1788 wrote to memory of 4732	1788	msiexec.exe	tvnserver.exe
PID 4732 wrote to memory of 5012	4732	tvnserver.exe	tvnserver.exe
PID 4732 wrote to memory of 5012	4732	tvnserver.exe	tvnserver.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tightvnc-2.8.59-gpl-setup-64bit.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BD1B5A33CB2420F16B0B8D9287915983 C
2⤵
- Loads dropped DLL
PID:2716

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3572

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 812A6967683803DEA2CA9CE21EF334FE
2⤵
- Loads dropped DLL
PID:4124

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7D969ECF5F0FFBADCA3F08F0985851F2
2⤵
- Loads dropped DLL
PID:4204

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 22DB582BFC760DCD0F40CDF854B79CF0 E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4304

C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 466C3101CC8F9BB3E09B7D75F1A3AFF9 E Global\MSI0000
2⤵
- Loads dropped DLL
PID:4364

C:\Program Files\TightVNC\tvnserver.exe
"C:\Program Files\TightVNC\tvnserver.exe" -reinstall -silent
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4480

C:\Program Files\TightVNC\tvnserver.exe
"C:\Program Files\TightVNC\tvnserver.exe" -start
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512

C:\Program Files\TightVNC\tvnserver.exe
"C:\Program Files\TightVNC\tvnserver.exe" -controlservice -slave
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4684

C:\Program Files\TightVNC\tvnserver.exe
"C:\Program Files\TightVNC\tvnserver.exe" -checkservicepasswords
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732

C:\Program Files\TightVNC\tvnserver.exe
"C:\Program Files\TightVNC\tvnserver.exe" -controlservice -reload
3⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2648

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:192

C:\Program Files\TightVNC\tvnserver.exe
"C:\Program Files\TightVNC\tvnserver.exe" -service
1⤵
- Executes dropped EXE
PID:4536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\TightVNC\tvnserver.exe
MD5
5d478f94283cd69f4393d8da703bd442

SHA1
b4f4a6d6310c9b236dc96cc216425b76d2a93772

SHA256
9b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac

SHA512
7840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa

Download Submit
C:\Program Files\TightVNC\tvnserver.exe
MD5
5d478f94283cd69f4393d8da703bd442

SHA1
b4f4a6d6310c9b236dc96cc216425b76d2a93772

SHA256
9b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac

SHA512
7840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa

Download Submit
C:\Program Files\TightVNC\tvnserver.exe
MD5
5d478f94283cd69f4393d8da703bd442

SHA1
b4f4a6d6310c9b236dc96cc216425b76d2a93772

SHA256
9b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac

SHA512
7840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa

Download Submit
C:\Program Files\TightVNC\tvnserver.exe
MD5
5d478f94283cd69f4393d8da703bd442

SHA1
b4f4a6d6310c9b236dc96cc216425b76d2a93772

SHA256
9b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac

SHA512
7840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa

Download Submit
C:\Program Files\TightVNC\tvnserver.exe
MD5
5d478f94283cd69f4393d8da703bd442

SHA1
b4f4a6d6310c9b236dc96cc216425b76d2a93772

SHA256
9b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac

SHA512
7840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa

Download Submit
C:\Program Files\TightVNC\tvnserver.exe
MD5
5d478f94283cd69f4393d8da703bd442

SHA1
b4f4a6d6310c9b236dc96cc216425b76d2a93772

SHA256
9b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac

SHA512
7840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa

Download Submit
C:\Program Files\TightVNC\tvnserver.exe
MD5
5d478f94283cd69f4393d8da703bd442

SHA1
b4f4a6d6310c9b236dc96cc216425b76d2a93772

SHA256
9b1f877060d1f8399462d443d87cd1a7fed777b6ca25fed712d76d3980adf5ac

SHA512
7840ba7b5242d7bc950f7e422e1865ab5721273a15151aea7d7bb90fae98c2a0dd9f3c625dfc3b43a0167e35fef411758075cdf267787cf92c6e141aae8a72aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
MD5
f9b08c45101ee8375915a03a3123067b

SHA1
41ead912bcf27306ae9d3d438ca46a0baad4061e

SHA256
87d5b0a608ee3680c8a2a0a3b84aed60ca182b6ab2d0be732f83f546bcffe400

SHA512
fea4abbc4ab40e6e7851a3f3c8652319cb4b9cc1163add9329e74a512338c85e6190d07fae5b4e8431e7cea613dd15b7bf2fc3603db20901468e90687619f0ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
5c23ef4b2e861d68b28e015d948f89cd

SHA1
c988b471f96a80c4d74deaf05a7e965aeb07e457

SHA256
164c38fae9ce4805dd774ce07375fbeb9ee91df73a905558c050f381982dcae0

SHA512
42944358031d13fc8f7d8e6bf4a0962d1c503e1fe996e2b3ccd0719e3c264104da16ed7bcfbaadd67d2eb850cf0db8f21e93bdec7bb9224770804cfbc2752539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_2C6D150AA157B3BBB8A52450BB086C70
MD5
c88f14e939adc7301260af6d7b1c9382

SHA1
d34ba242c2c8fe3ec18a5f8574d2affe2c712025

SHA256
4799c838d5e3b178e06df8cd569d22ffdf92a09e392eb985956044e12e6c5e4d

SHA512
b624b78f5a573921d7d14bfcfbe7d4a551d408d10e9b356a8d3fa65b3b04a16ffe6ec8c9910a8f7438ed2b309136e4c8417903fad606b0f105f2c0a3bc0c7f8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
MD5
e0dd3d7463938ad26ab978635a554208

SHA1
9e676f739a9b94c78e7b174e932c4abf51bb4c40

SHA256
0f220e88ac3c94329b09c2c369c2e1313b946c74f515624ad40a6112da83a34f

SHA512
f4425a165ed072252127f2255cb9832b3c93e33fb55c437fb23efd4bcf3bb2fe7c112593f023155ad605f1123bcbcf2209f716a2bfbdd92cf9ed4c2004934f40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
8be056425b8d4590e255a05fc1ef61f8

SHA1
6e82c3929ae23441c475f44988859e1ced89ff59

SHA256
e982696763cd89223a75a37452a16a1651233aca49668ef5c739991bb2cfa5a6

SHA512
e943c36a1e6e49ba1c80ce5e9cc354bfb6cf0ff8467b641a693815c38d8eed652f8d398db7da5e8c11cdde8f717c89686c3a615f7adaf00f7b2450f9b734f2a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_2C6D150AA157B3BBB8A52450BB086C70
MD5
58b05aa8be5d4d5593eab26dab7e49c6

SHA1
54aedf9ad632fb2031f53824054045461ed08e4e

SHA256
30db2465acf738354530e01e6fa54007dd5b678d5ff42e536c0fae3cbb5ede0d

SHA512
e285f045c581b9bfb78601faebee842420dc3cc3ec8361b0654a507db90b9b709bafd0d6cf3b4fafad44e126a563287dff7232ccc7e4bf0334b145f0cfddb6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFDF2.tmp
MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI6A4A.tmp
MD5
b2e2c24ebce4f188cf28b9e1470227f5

SHA1
9de61721326d8e88636f9633aa37fcb885a4babe

SHA256
233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69

SHA512
343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

Download Submit
C:\Windows\Installer\MSI6B64.tmp
MD5
93394d2866590fb66759f5f0263453f2

SHA1
2f0903d4b21a0231add1b4cd02e25c7c4974da84

SHA256
5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

SHA512
f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

Download Submit
C:\Windows\Installer\MSI6CAD.tmp
MD5
93394d2866590fb66759f5f0263453f2

SHA1
2f0903d4b21a0231add1b4cd02e25c7c4974da84

SHA256
5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

SHA512
f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

Download Submit
C:\Windows\Installer\MSI6D89.tmp
MD5
b2e2c24ebce4f188cf28b9e1470227f5

SHA1
9de61721326d8e88636f9633aa37fcb885a4babe

SHA256
233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69

SHA512
343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

Download Submit
C:\Windows\Installer\MSI6EA4.tmp
MD5
93394d2866590fb66759f5f0263453f2

SHA1
2f0903d4b21a0231add1b4cd02e25c7c4974da84

SHA256
5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

SHA512
f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

Download Submit
C:\Windows\Installer\MSI70A9.tmp
MD5
b2e2c24ebce4f188cf28b9e1470227f5

SHA1
9de61721326d8e88636f9633aa37fcb885a4babe

SHA256
233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69

SHA512
343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

Download Submit
C:\Windows\Installer\MSI71D2.tmp
MD5
7e753b064a0b3408726aa232feb7cf8a

SHA1
c76c3dc5ae1c05fdb34ae963646a904b60aa5759

SHA256
4cf2358692062cdd2920d5d1c6ebdb7f9b81b1d2e5c6fba24f1bc4027688185f

SHA512
9a12f495d4555e6b4ef9ab6173258ccaf73e718d29d4db134aeb551224016c7c1916261e3301280930f20601fede648cb796608e24d4690dec5fb90cd2d8cede

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
45fe08b7d7c81ae2a3d47fd804418e3a

SHA1
953d3dfc199eaadb96aeccfdfd25af4f6a492422

SHA256
bd81593ea4c9bb23d094a4149702624c32f058f00afb4925f9c7752747c02fab

SHA512
37351206259b387d058cafe242b17bb79ad1773c9b4cc9005be45c0a95a3ec18918e8d5ffa5af11b7d961516c639bf0e8847abc2073c50dc6defd5f39975acca

Download Submit
\??\Volume{266d1ca4-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{7fbb08b3-4afe-4e10-8fc9-a59c1e4ce498}_OnDiskSnapshotProp
MD5
229419edd1e1ec5571d46053b388e1e4

SHA1
0dcc0ba198b538561dc3167158d99fe6bd7f3f3a

SHA256
d86c8e1aa02b1812cf6a0de4643aa0db2ebd804dc55c49cddb819d6536c75aad

SHA512
f5ad19f78835d893841e9f9dbc8f467c06a16a81fdbc57bfc843caf664250e47d9d3dd17b383c60c7e5065fa94e94b8ef0816bf9d70d4cd6d5436287a734ac60

Download Submit
\Users\Admin\AppData\Local\Temp\MSIFDF2.tmp
MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Windows\Installer\MSI6A4A.tmp
MD5
b2e2c24ebce4f188cf28b9e1470227f5

SHA1
9de61721326d8e88636f9633aa37fcb885a4babe

SHA256
233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69

SHA512
343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

Download Submit
\Windows\Installer\MSI6B64.tmp
MD5
93394d2866590fb66759f5f0263453f2

SHA1
2f0903d4b21a0231add1b4cd02e25c7c4974da84

SHA256
5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

SHA512
f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

Download Submit
\Windows\Installer\MSI6CAD.tmp
MD5
93394d2866590fb66759f5f0263453f2

SHA1
2f0903d4b21a0231add1b4cd02e25c7c4974da84

SHA256
5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

SHA512
f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

Download Submit
\Windows\Installer\MSI6D89.tmp
MD5
b2e2c24ebce4f188cf28b9e1470227f5

SHA1
9de61721326d8e88636f9633aa37fcb885a4babe

SHA256
233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69

SHA512
343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

Download Submit
\Windows\Installer\MSI6EA4.tmp
MD5
93394d2866590fb66759f5f0263453f2

SHA1
2f0903d4b21a0231add1b4cd02e25c7c4974da84

SHA256
5c29b8255ace0cd94c066c528c8ad04f0f45eba12fcf94da7b9ca1b64ad4288b

SHA512
f2033997b7622bd7cd6f30fca676ab02ecf6c732bd44e43358e4857b2cf5b227a5aa6bbbf2828c69dd902cbcc6ff983306787a46104ca000187f0cba3743c622

Download Submit
\Windows\Installer\MSI70A9.tmp
MD5
b2e2c24ebce4f188cf28b9e1470227f5

SHA1
9de61721326d8e88636f9633aa37fcb885a4babe

SHA256
233f5e43325615710ca1aa580250530e06339def861811073912e8a16b058c69

SHA512
343ea590c7f6b682b3b3e27fd4ab10ffeded788c08000c6dd1e796203f07bf9f8c65d64e9d4b17ce0da8eb17aaf1bd09c002359a89a7e5ab09cf2cb2960e7354

Download Submit
\Windows\Installer\MSI71D2.tmp
MD5
7e753b064a0b3408726aa232feb7cf8a

SHA1
c76c3dc5ae1c05fdb34ae963646a904b60aa5759

SHA256
4cf2358692062cdd2920d5d1c6ebdb7f9b81b1d2e5c6fba24f1bc4027688185f

SHA512
9a12f495d4555e6b4ef9ab6173258ccaf73e718d29d4db134aeb551224016c7c1916261e3301280930f20601fede648cb796608e24d4690dec5fb90cd2d8cede

Download Submit
memory/2716-118-0x0000000000000000-mapping.dmp

Download
memory/3572-123-0x0000000000000000-mapping.dmp

Download
memory/4124-130-0x0000000000000000-mapping.dmp

Download
memory/4204-135-0x0000000000000000-mapping.dmp

Download
memory/4304-144-0x0000000000000000-mapping.dmp

Download
memory/4364-149-0x0000000000000000-mapping.dmp

Download
memory/4480-156-0x0000000000000000-mapping.dmp

Download
memory/4512-159-0x0000000000000000-mapping.dmp

Download
memory/4684-162-0x0000000000000000-mapping.dmp

Download
memory/4732-164-0x0000000000000000-mapping.dmp

Download
memory/5012-168-0x0000000000000000-mapping.dmp

Download