1ffe8209764db06b2f65a1bf47d208bbd7c08f5b31d5f798ba6b397f04ae421c

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CapTalkSetup.msi
Size

22.0MB
MD5

73137946a664fcf4c79a8d4ab7e3e90e
SHA1

f9c0dd55ba400af20bab9fd9faf881c361810700
SHA256

1ffe8209764db06b2f65a1bf47d208bbd7c08f5b31d5f798ba6b397f04ae421c
SHA512

d7e122b43a4d8bc52386a4d2919091a4a3ff4e7900883f5242e6e8b646b6514081d95c9d748947088b8e47b2798709ade3df5c54b0d232a3445b3c9ff66d06af
SSDEEP

393216:oRXWmhkB2RevIOXmc87p5jcCknXXnS4BzYRzgG8vccAzT1H//jA44:7mS2GIumc8jjcCmBzQsGt/t4

Score

6^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	3040	msiexec.exe
5	3040	msiexec.exe
7	3040	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\FileRepository\beco.inf_amd64_neutral_6a871fe0193c1534\beco.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	dpinstx64.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}\SET1891.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}\beco.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp100d.dll	msiexec.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}\SET1890.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}\SET1891.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\beco.inf_amd64_neutral_6a871fe0193c1534\beco.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr100d.dll	msiexec.exe
File created	C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}\SET1890.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}\beco.cat	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\dnp_logo.jpg	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\CapTalk S-6280.exe	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\Security.DLL	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\M6280AutoAdaptive.DLL	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\M6280_B.DLL	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V02.00.02.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\ToolTip.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\UserData.xslt	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\Readme CapTalk for M6280.rtf	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\CommunicationDll.DLL	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\beco install.bmp	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\Software Agreement.rtf	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\M-6280A Instruction Book.pdf	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V03.04.00.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\beco banner.bmp	msiexec.exe
File created	C:\PROGRA~1\DIFX\049F92817B59CD0F\dpinstx64.exe	dpinstx64.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP3DeviceProfileMar2009.xslt	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\Protocol Documents\M-6280A_DNP.pdf	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\USB Drivers\beco.cat	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\USB Drivers\dpinstx64.exe	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280_dnp.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V03.10.00.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V01.08.03.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V03.13.06.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V03.04.02.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V02.00.00.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\Devices.cfg	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V03.11.00.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\Protocol Documents\M-6280A_MODBUS.pdf	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\BasicControls.DLL	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\USB Drivers\beco.inf	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\USB Drivers\patchMsiForDriver.vbs	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\M-6280 Instruction Book.pdf	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\USB Drivers\dpinstx86.exe	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V03.14.01.xml	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\CapPlot.exe	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\M-6280A MOD764 Instruction Book.pdf	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP3DeviceProfileMar2009.xsx	msiexec.exe
File created	C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP3DeviceProfileMar2009.xsd	msiexec.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76ecde.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2AC.tmp	msiexec.exe
File created	C:\Windows\Installer\{51DECD58-63FE-4EA5-AB32-B7139D3F2FB9}\_853F67D554F05449430E7E.exe	msiexec.exe
File created	C:\Windows\Installer\{51DECD58-63FE-4EA5-AB32-B7139D3F2FB9}\_831F1991D64B517E904204.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{51DECD58-63FE-4EA5-AB32-B7139D3F2FB9}\_831F1991D64B517E904204.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	dpinstx64.exe
File created	C:\Windows\Installer\f76ece1.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76ecdf.ipi	msiexec.exe
File created	C:\Windows\Installer\f76ecdf.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\{51DECD58-63FE-4EA5-AB32-B7139D3F2FB9}\_853F67D554F05449430E7E.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{51DECD58-63FE-4EA5-AB32-B7139D3F2FB9}\_3A256DB79DBC1744937FB6.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\DPINST.LOG	dpinstx64.exe
File opened for modification	C:\Windows\Installer\f76ecde.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEEF3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF02C.tmp	msiexec.exe
File created	C:\Windows\Installer\{51DECD58-63FE-4EA5-AB32-B7139D3F2FB9}\_3A256DB79DBC1744937FB6.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
1956	dpinstx64.exe
1636	CapTalk S-6280.exe

Loads dropped DLL 9 IoCs

pid	Process
2428	MsiExec.exe
2428	MsiExec.exe
2296	MsiExec.exe
2296	MsiExec.exe
1248	msiexec.exe
844	Process not Found
844	Process not Found
1636	CapTalk S-6280.exe
1636	CapTalk S-6280.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000507a4d03536ada01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000507a4d03536ada01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0db4f03536ada01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000507a4d03536ada01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	rundll32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	CapTalk S-6280.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	CapTalk S-6280.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	CapTalk S-6280.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	CapTalk S-6280.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|M6280_B.DLL\M6280_B,Version="10.25.1.0",Culture="neutral",ProcessorArchitecture="x86" = 240058005b00420042002400510054003f0041007d0068005b0044002900430034002600540064003e006100700073006d006a0078004a0038006d005e0061006d0033003600450079003d005e004300540000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|M6280AutoAdaptive.DLL	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	CapTalk S-6280.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	CapTalk S-6280.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	CapTalk S-6280.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	CapTalk S-6280.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy	CapTalk S-6280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\85DCED15EF365AE4BA237B31D9F3F29B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\SourceList\PackageName = "CapTalkSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	CapTalk S-6280.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	CapTalk S-6280.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	CapTalk S-6280.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|CommunicationDll.DLL\CommunicationDll,Version="1.1.6337.15712",Culture="neutral",ProcessorArchitecture="x86" = 240058005b00420042002400510054003f0041007d0068005b0044002900430034002600540064003e006c00670038004000510063007800590029002e004300450065004b007a0033007200750077004a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|BasicControls.DLL	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|BasicControls.DLL\BasicControls,Version="10.25.1.0",Culture="neutral",ProcessorArchitecture="x86" = 240058005b00420042002400510054003f0041007d0068005b0044002900430034002600540064003e004c003f005e0042004e0072003200210037004b0042004f006f005a00590051006f004b007200670000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9072A68864E4E3144B35714CC1ADFDEB\85DCED15EF365AE4BA237B31D9F3F29B	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	CapTalk S-6280.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	CapTalk S-6280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|CommunicationDll.DLL	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\PackageCode = "0E45ED7FE98D2C241A3E19B45F252518"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\ProductIcon = "C:\\Windows\\Installer\\{51DECD58-63FE-4EA5-AB32-B7139D3F2FB9}\\_853F67D554F05449430E7E.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|M6280_B.DLL	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|CapTalk S-6280.exe	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\IconSize = "16"	CapTalk S-6280.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	CapTalk S-6280.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\TV_TopViewVersion = "0"	CapTalk S-6280.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|Security.DLL	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	CapTalk S-6280.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy	CapTalk S-6280.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	CapTalk S-6280.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|M6280AutoAdaptive.DLL\M6280AutoAdaptive,Version="10.25.1.0",Culture="neutral",ProcessorArchitecture="x86" = 240058005b00420042002400510054003f0041007d0068005b0044002900430034002600540064003e005600410042007d007200420046003f007e007a00720042004e004c0027006b006b004e006f003d0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	CapTalk S-6280.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	CapTalk S-6280.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\Version = "169410561"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Mode = "4"	CapTalk S-6280.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\85DCED15EF365AE4BA237B31D9F3F29B\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	CapTalk S-6280.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\85DCED15EF365AE4BA237B31D9F3F29B\ProductName = "CapTalk M-6280 Series Model S-6280"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	CapTalk S-6280.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|Security.DLL\Security,Version="1.0.8502.28008",Culture="neutral",ProcessorArchitecture="x86" = 240058005b00420042002400510054003f0041007d0068005b0044002900430034002600540064003e003300480071004f004200360071006e0066005b00690059007800510077006b002c00370049004c0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	CapTalk S-6280.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CapTalk S-6280.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\LogicalViewMode = "1"	CapTalk S-6280.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	CapTalk S-6280.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlgLegacy\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616257"	CapTalk S-6280.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|BECOWare\|CapTalk M-6280 Series Model S-6280\|CapTalk S-6280.exe\CapTalk S-6280,Version="10.25.1.0",Culture="neutral",ProcessorArchitecture="x86" = 240058005b00420042002400510054003f0041007d0068005b0044002900430034002600540064003e0044006b005300630076005f003d004b002a002e006c00680035006500720079005a0041005d00610000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9072A68864E4E3144B35714CC1ADFDEB	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1248	msiexec.exe
1248	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3040	msiexec.exe
Token: SeRestorePrivilege	1248	msiexec.exe
Token: SeTakeOwnershipPrivilege	1248	msiexec.exe
Token: SeSecurityPrivilege	1248	msiexec.exe
Token: SeCreateTokenPrivilege	3040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3040	msiexec.exe
Token: SeLockMemoryPrivilege	3040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3040	msiexec.exe
Token: SeMachineAccountPrivilege	3040	msiexec.exe
Token: SeTcbPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeTakeOwnershipPrivilege	3040	msiexec.exe
Token: SeLoadDriverPrivilege	3040	msiexec.exe
Token: SeSystemProfilePrivilege	3040	msiexec.exe
Token: SeSystemtimePrivilege	3040	msiexec.exe
Token: SeProfSingleProcessPrivilege	3040	msiexec.exe
Token: SeIncBasePriorityPrivilege	3040	msiexec.exe
Token: SeCreatePagefilePrivilege	3040	msiexec.exe
Token: SeCreatePermanentPrivilege	3040	msiexec.exe
Token: SeBackupPrivilege	3040	msiexec.exe
Token: SeRestorePrivilege	3040	msiexec.exe
Token: SeShutdownPrivilege	3040	msiexec.exe
Token: SeDebugPrivilege	3040	msiexec.exe
Token: SeAuditPrivilege	3040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3040	msiexec.exe
Token: SeChangeNotifyPrivilege	3040	msiexec.exe
Token: SeRemoteShutdownPrivilege	3040	msiexec.exe
Token: SeUndockPrivilege	3040	msiexec.exe
Token: SeSyncAgentPrivilege	3040	msiexec.exe
Token: SeEnableDelegationPrivilege	3040	msiexec.exe
Token: SeManageVolumePrivilege	3040	msiexec.exe
Token: SeImpersonatePrivilege	3040	msiexec.exe
Token: SeCreateGlobalPrivilege	3040	msiexec.exe
Token: SeCreateTokenPrivilege	3040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3040	msiexec.exe
Token: SeLockMemoryPrivilege	3040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3040	msiexec.exe
Token: SeMachineAccountPrivilege	3040	msiexec.exe
Token: SeTcbPrivilege	3040	msiexec.exe
Token: SeSecurityPrivilege	3040	msiexec.exe
Token: SeTakeOwnershipPrivilege	3040	msiexec.exe
Token: SeLoadDriverPrivilege	3040	msiexec.exe
Token: SeSystemProfilePrivilege	3040	msiexec.exe
Token: SeSystemtimePrivilege	3040	msiexec.exe
Token: SeProfSingleProcessPrivilege	3040	msiexec.exe
Token: SeIncBasePriorityPrivilege	3040	msiexec.exe
Token: SeCreatePagefilePrivilege	3040	msiexec.exe
Token: SeCreatePermanentPrivilege	3040	msiexec.exe
Token: SeBackupPrivilege	3040	msiexec.exe
Token: SeRestorePrivilege	3040	msiexec.exe
Token: SeShutdownPrivilege	3040	msiexec.exe
Token: SeDebugPrivilege	3040	msiexec.exe
Token: SeAuditPrivilege	3040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3040	msiexec.exe
Token: SeChangeNotifyPrivilege	3040	msiexec.exe
Token: SeRemoteShutdownPrivilege	3040	msiexec.exe
Token: SeUndockPrivilege	3040	msiexec.exe
Token: SeSyncAgentPrivilege	3040	msiexec.exe
Token: SeEnableDelegationPrivilege	3040	msiexec.exe
Token: SeManageVolumePrivilege	3040	msiexec.exe
Token: SeImpersonatePrivilege	3040	msiexec.exe
Token: SeCreateGlobalPrivilege	3040	msiexec.exe
Token: SeCreateTokenPrivilege	3040	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3040	msiexec.exe
3040	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1636	CapTalk S-6280.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 2428	1248	msiexec.exe	29
PID 1248 wrote to memory of 2428	1248	msiexec.exe	29
PID 1248 wrote to memory of 2428	1248	msiexec.exe	29
PID 1248 wrote to memory of 2428	1248	msiexec.exe	29
PID 1248 wrote to memory of 2428	1248	msiexec.exe	29
PID 1248 wrote to memory of 2428	1248	msiexec.exe	29
PID 1248 wrote to memory of 2428	1248	msiexec.exe	29
PID 1248 wrote to memory of 2296	1248	msiexec.exe	35
PID 1248 wrote to memory of 2296	1248	msiexec.exe	35
PID 1248 wrote to memory of 2296	1248	msiexec.exe	35
PID 1248 wrote to memory of 2296	1248	msiexec.exe	35
PID 1248 wrote to memory of 2296	1248	msiexec.exe	35
PID 1248 wrote to memory of 2296	1248	msiexec.exe	35
PID 1248 wrote to memory of 2296	1248	msiexec.exe	35
PID 1248 wrote to memory of 1956	1248	msiexec.exe	36
PID 1248 wrote to memory of 1956	1248	msiexec.exe	36
PID 1248 wrote to memory of 1956	1248	msiexec.exe	36
PID 1248 wrote to memory of 1956	1248	msiexec.exe	36
PID 1248 wrote to memory of 1956	1248	msiexec.exe	36
PID 2364 wrote to memory of 2084	2364	DrvInst.exe	39
PID 2364 wrote to memory of 2084	2364	DrvInst.exe	39
PID 2364 wrote to memory of 2084	2364	DrvInst.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CapTalkSetup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C152A153297618AE99DDDC5781B2FC46 C
  2⤵
  - Loads dropped DLL
  PID:2428
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 15D7BAF486244B47D0F86385DE7DD48C
  2⤵
  - Loads dropped DLL
  PID:2296
- C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\USB Drivers\dpinstx64.exe
  "C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\USB Drivers\dpinstx64.exe" /f
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2928

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000032C" "00000000000004DC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1192

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0b1c524e-faca-1a8b-77dd-de4297946c58}\beco.inf" "9" "63fd6b05f" "0000000000000300" "WinSta0\Default" "00000000000003B8" "208" "c:\program files (x86)\becoware\captalk m-6280 series model s-6280\usb drivers"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{7a8e3d69-4829-6f0f-e7b0-5e2a6acd996b} Global\{7e044caf-1beb-2ecd-ecd5-956653b7bb12} C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}\beco.inf C:\Windows\System32\DriverStore\Temp\{62ccaf94-a33a-5fab-ca9e-df0f09592b5e}\beco.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084

C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\CapTalk S-6280.exe
"C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\CapTalk S-6280.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76ece0.rbs

Filesize
20KB

MD5
1b009f43464d12cb14214b7ab00d7b17

SHA1
1f46672135178f85ba2216f25021bd04c63461d1

SHA256
74354f8e344b7ed7e5afb63229bef3e146de3a2c14e429fb1cc416409f5a1702

SHA512
2c2a2b709301020e5e66664aceb624cb906e0077baf6763681f8f50bccd02f133f64d468917db0f7e3f13b08c2bf5a1b3e37f3a180cce6e5b4497800db873fde

Download Submit
C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\BasicControls.dll

Filesize
308KB

MD5
49c1bf9fa936459912b8e5a4ace28310

SHA1
6007e77a36e867fa5f302a87d8f412c8eba3026b

SHA256
a971bf658fd921c6e385893244015ff4b5ad0fea6def12cf6a4f64154cbabf59

SHA512
4c033ba4e4beac0498ec2e5ddc07eb6efdf2cb0d729ec0c61e517396a2ced86d6e73038a0cc340e3828911166cda0c2b82a1acf7d69822af3e84ec29f08c5002

Download Submit
C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\CapTalk S-6280.exe

Filesize
322KB

MD5
ef8b2c59d036cc3d180febd88009c466

SHA1
39bd856b08d8e166ff77df80e145d2fd899647cf

SHA256
a3f66833257309e0911068817437c020a79cf4f8b606c7712e1b0ba89dc9ea18

SHA512
141baadf52f7c293fe1c4b8b1f7cbff39d11dda2aae60f9d017d8be4a1c8ab1d9ad5182bdeb77d9d101ee953b165255dc6ecc076aa8a99f37ea6fbd10098351d

Download Submit
C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\DNP FILES\M6280A_dnp_V03.13.06.xml

Filesize
85KB

MD5
4b6c0c84d74e958475d89404d6b479aa

SHA1
bd8037e497980ed4ab6d233305df58c1d72de644

SHA256
a8a4d277ef0cb082f9ec92aea1acee3ae5e8452f835e30e57d3fdd02f0d53b73

SHA512
44b1083fa7744fce9cd54d25054e9d5bc140d4390925aca9057c866c7d50ad440ea90a3b5061efadd66723d0b923a3e4363ea18fecd1a3281d70116d05863d4f

Download Submit
C:\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\Devices.cfg

Filesize
14KB

MD5
8cc98f01b10f787e1270421a40ef1a54

SHA1
319521884465ffb978e6f6959a333e079c1b0b2f

SHA256
8bdb3a5f3927851fcc346e7e4bd0137b74c1e2b6bc39f871da310f069dc0c46b

SHA512
0eb1562fa1cb3cf9c4afaca46541ab7d88c7a0599975ef34d7285fa177fb3e4f3b68333bf05d16768a9d73756dcc34a60147254426809a6fd336441cd86a9b0c

Download Submit
C:\ProgramData\CAPTALK\S-6280\CAPTALK.xml

Filesize
120B

MD5
8c375891f9cd3a649d66a078439ad496

SHA1
9c24cc506eddf7be121fc1c2bfd5625096e0da51

SHA256
599210cbc0e7fffa6b2d3f7c26f090c0e6684cafee6b55c4e84af0473d2b7841

SHA512
cf6b03ba614a3e1e75f3ae1ca9e549fdecf165601f4817581aeac015ae0bba30d038d09293ead122a9476991dda72b2e1d7bcf2705a455e4ce2e2596a7ff2259

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
6e60c7d70f253cbb0fe9e4334cc493b5

SHA1
290ff5123a064905b2c5486084617bd230665608

SHA256
4d87456c38bb4c374d8e65f86a16165d991c3f925298d14677814ff1a4c3a454

SHA512
fd6664180fc351d412d25a15f427fa3bca27706395cc0ae12d99a71e4874213d4a4afb513dd282d9ca2122433df88e8f0ecf2a77fc091500f25c57521ccfc474

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_8CE18CC9C36B05C7F783250A89467500

Filesize
727B

MD5
f1a0b5728d8c7b23d4aee89361667133

SHA1
8153bda3d0fb7a2f28b6e5c36824508e47113099

SHA256
5b63e4d7f1eb93fa113961099d1015cb32e34df3708db27577503c238040a77f

SHA512
3b3e7a191171ae69134fb3a093a9af6b669a9af5570abb644a408ee0a8e0dce4552d76eba2913bfa1b57e30b93cd70ac1483c77c2d33f613b9f0c60520b80c45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
c95296415b0542e4ed1c124b3ad3aac5

SHA1
8ac2e9105e61504d4b2815e8eb63ed9604d76ced

SHA256
41b41335a4341612da1cf360c5dee5d8d7953f042536d2ad4a6521e82c6226d2

SHA512
955e8667da578bca010a01e74ac243bedbb9b28e3515b0b12c9f38959d5dd269e31bf86c083e66bc7a62a334d575ba46fd5c6b5fa815ac6f33ea34e72adf6128

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
b8d25542274d012e3ba8bb3f2fcfa7e8

SHA1
587a14909e2991a2950f81ac543abd54611ad7a9

SHA256
700f930d0a61c6e47dea05d224b0a74b01b7f58f100595ed29ed370b8a8159fe

SHA512
f3e037ce9f534ae8987bddeb0720ee244d88f5f919ae8b9e547a8b619fcdc89dc6bea639ca325bfa38593f2ef2eded330c65361a93f39282daed8a6cae9712d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_8CE18CC9C36B05C7F783250A89467500

Filesize
412B

MD5
21fe94cdc90bcc31de166a499ab88cfd

SHA1
fb35413c3fee081aaf6c35594c334ce6273c0b2d

SHA256
b6aebcfcd195f04e6344d57f3359048bc2b11e92662394d9ae5161a2a30c6636

SHA512
4cdc9229aec9002895ee8e03641fb423fafc2d71225da9260a5fddaeb6f519632ec7b61cb63ce8dbfd8dd1d610ab98dd5782bbdf2ca3cf84be5dff49dd1f2f15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
073e4cc121fef47e7ac0cfba40dde0eb

SHA1
2368e8919cff909cda200575d4944291321565bd

SHA256
28072da441f4d02be6d2af8e75979735675b08b1f6418e0f6701be5005e3cbba

SHA512
c8015a1df935caba5926049d13196d9559a5674f450d155cacbd3054c23648834a5c712a678db812f4a04d3396580017128b519183b74e1d5112bdad870eeaa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
1ee52df5f3d3e46b406e3045549a17c9

SHA1
bb324bf62b2c274b454455520d2d6ff9d85aff9d

SHA256
648f27da25c942ea18f44f6f5d49b36e4b93565b5435ad395a0686cc00090e44

SHA512
f37fc556094719e5225dabe2a30631a0a6f7aa19a501ba2396a8653fcd81341b612fd92ee70e04a19676f80d4637649b0e7a33ea3c37e938b7a009be95d2fb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4F20.tmp

Filesize
231KB

MD5
5494165b1384faeefdd3d5133df92f5a

SHA1
b7b82805f1a726c4eee39152d1a6a59031d7798c

SHA256
ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055

SHA512
ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE56.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\Installer\f76ecde.msi

Filesize
22.0MB

MD5
73137946a664fcf4c79a8d4ab7e3e90e

SHA1
f9c0dd55ba400af20bab9fd9faf881c361810700

SHA256
1ffe8209764db06b2f65a1bf47d208bbd7c08f5b31d5f798ba6b397f04ae421c

SHA512
d7e122b43a4d8bc52386a4d2919091a4a3ff4e7900883f5242e6e8b646b6514081d95c9d748947088b8e47b2798709ade3df5c54b0d232a3445b3c9ff66d06af

Download Submit
C:\Windows\Installer\{51DECD58-63FE-4EA5-AB32-B7139D3F2FB9}\_831F1991D64B517E904204.exe

Filesize
766B

MD5
4a7a1e7e7a98bf69082ef12699f30feb

SHA1
176ebade5f152c33403b23c3e06042191d7bb0cf

SHA256
001294756c87e0903ef7d6b13607378614d3a1f2b30bd28fe4b2ff4380a16cde

SHA512
13640ad80b795d01e693b4361110603803b5f4060b1b3d9812bedbc84ce2501d0a05ac0ef4448398106eeca5031e9452c860eec2b9714a15a4e1e2696b232959

Download Submit
C:\Windows\System32\DriverStore\FileRepository\beco.inf_amd64_neutral_6a871fe0193c1534\beco.PNF

Filesize
7KB

MD5
22c69f3fa9a8c3da0612e41aed56305f

SHA1
15777b5a76e2920bdecb922ca0f821b8c24d2479

SHA256
205bc769635b3058d7f24ec101695a27b18c545d263fdf34d07a01bebe7c4f77

SHA512
f19e7b054c5881ffdca721eb01758df5aa169a6df469928f94bb9509d0dd8a2c3b87e1a4cd217594f783b25bed308d96700e3fc288a05c894b856aebc1182213

Download Submit
\??\c:\program files (x86)\becoware\captalk m-6280 series model s-6280\usb drivers\beco.cat

Filesize
11KB

MD5
aa820cd50b9e373b2bd16bbab7f8cba2

SHA1
ca0a64d9b865dc85e676f1a5e833db3ff5a35a5f

SHA256
d7a4ae53ded255d53a78545d9b66d0c936afc54701b3e51b728dd673c581f7ab

SHA512
758c0ac32c95f4f69193d5dcb096e0108aa80a826e99eadc2bfde76b7ce8d196a1e8cce6ab9fe20f3c421b591c9ff72d0af42e0ef13325a3e7bf7384b9b9eefc

Download Submit
\??\c:\program files (x86)\becoware\captalk m-6280 series model s-6280\usb drivers\beco.inf

Filesize
2KB

MD5
0ed3a9c7fc84f3654a3e526112212eeb

SHA1
77b97dc5d5ed89698410a91753a53b9302fb016c

SHA256
9ad980c0f5a718b9d7e2dfe201f1a51da991cae7cef113baa1ee95adfb8c8731

SHA512
43f7e93f9124527427147e29482fe6ebd5c7cf0a2f23150d40a5bb52040a877f3812ed9680fc617b20b22abbf9a75df0b67ef529be7cfad92aa0cea3fc51f1e2

Download Submit
\Program Files (x86)\BECOWare\CapTalk M-6280 Series Model S-6280\USB Drivers\dpinstx64.exe

Filesize
666KB

MD5
2f016e7f3a600f6f507a9fd26d5c0762

SHA1
bbed11f79756cec74782001c8eda3fb1fe512b65

SHA256
37b6e09fdd3691444514fbc7ab87f213b55fb0c8ba6a4c80cd508a7758588475

SHA512
c0dd42b9ecbf358f036a73fc2f82e6aee18138fdc6e644cf8fd1b3926c52d5e06bb17ebfd74aa1c293662b34a22c29b6879622aa5058f55431819d6538687c43

Download Submit
memory/1636-195-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/1636-194-0x0000000000BD0000-0x0000000000C24000-memory.dmp

Filesize
336KB

Download
memory/1636-199-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/1636-200-0x0000000000460000-0x00000000004B0000-memory.dmp

Filesize
320KB

Download
memory/1636-205-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/1636-222-0x00000000021E0000-0x00000000021E2000-memory.dmp

Filesize
8KB

Download
memory/1636-223-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/1636-224-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/2084-165-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download