ae5a608d1f60cd2a180c3f2f49304deb00d2082762e22614f88312a8f121214a

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NotifyConnect.exe
Size

13.8MB
MD5

27a948607ab53fe815617effb81600d1
SHA1

86a50ff946d264cd717de00d440cfd224ed46894
SHA256

ae5a608d1f60cd2a180c3f2f49304deb00d2082762e22614f88312a8f121214a
SHA512

b0f55ba415d66a958150546f7153ace1ed2478ce26b52d1f6b092d7bc746ca2f8a3305830ab026820ff70c8fb74ac38489192ffdd11645c5e3d442d892cfef0d
SSDEEP

196608:HMwAeseEJOAQPDt8sFXOQdJrsBemmRjHlmxi1sfZafCFYLM9ltd5Cxzgx:zkeJAaesFXOQoAzDr17LtzM

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
1588	MsiExec.exe
2824	MsiExec.exe
2824	MsiExec.exe
2824	MsiExec.exe
2824	MsiExec.exe
2824	MsiExec.exe
1588	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Inttelix.Device.FaceAccess.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ResourcesMD\ConexaoDesativada.ico	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ResourcesMD\Synchronize.png	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\PropertiesMD\Settings.settings	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\NServiceKit.Interfaces.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\NServiceKit.Redis.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\zkemkeeper.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\NHibernate.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\System.Data.Entity.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\lzo2_64.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\HDCP_Utils.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Common.Logging.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\FluentFTP.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\System.Data.DataSetExtensions.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\comms.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ResourcesMD\Icone.ico	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\PropertiesMD\AssemblyInfo.cs	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ConnectNewPointClient.exe	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\log4net.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\NotifyConnect.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\NHttp.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ConnectNewPointRecycle.exe	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ConnectNewPoint.exe.config	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Quartz.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\System.Data.Services.Design.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\itextsharp.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Iesi.Collections.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\pt-PT\NotifyConnect.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Interop.BioBridgeSDKLib.DLL	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Inttelix.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\msvcr71.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\NServiceKit.Common.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\zkemsdk.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\NotifyMDConnect.exe.config	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ConnectNewPoint.exe	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\RestSharp.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Microsoft.Practices.ServiceLocation.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\SecurityRep.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ResourcesMD\icon_Notify.ico	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\HwDevComm.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Inttelix.Device.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\MsgPack.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ResourcesMD\soft_logo_login.png	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\NotifyMDConnect.exe	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Rebex.Common.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Rebex.Networking.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Inttelix.Device.FaceLock.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ResourcesMD\ConexaoAtivada.ico	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\System.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Interop.zkemkeeperbz900.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Castle.DynamicProxy.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\Inttelix.Usb.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ResourcesMD\Delete.png	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\commpro.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ConnectNewPoint.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\System.Xml.Linq.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\plce.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\tcpcomm.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\System.Data.Services.Client.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\es-MX\NotifyConnect.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\ResourcesMD\Icon_Madis.ico	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\PropertiesMD\Resources.Designer.cs	msiexec.exe
File created	C:\Program Files (x86)\NotifyConnect\NotifyConnect\lzo2.dll	msiexec.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7657c2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI588C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C86.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7657c1.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI58AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A63.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\4498E3485604141479C8EF106AEBC073\5.4.23	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\4498E3485604141479C8EF106AEBC073\5.4.23\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24	msiexec.exe
File created	C:\Windows\Installer\{843E8944-4065-4141-978C-FE01A6BE0C37}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\f7657c4.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7657c2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\4498E3485604141479C8EF106AEBC073	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\4498E3485604141479C8EF106AEBC073\5.4.23\Global_VC_CRT_f0.51D569E0_8A28_11D2_B962_006097C4DE24	msiexec.exe
File opened for modification	C:\Windows\Installer\{843E8944-4065-4141-978C-FE01A6BE0C37}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{843E8944-4065-4141-978C-FE01A6BE0C37}\NewShortcut1_6447403392A54FFA9CB05E95BBEB46B7.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5DFE.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\{843E8944-4065-4141-978C-FE01A6BE0C37}\NewShortcut1_6447403392A54FFA9CB05E95BBEB46B7.exe	msiexec.exe
File created	C:\Windows\Installer\f7657c1.msi	msiexec.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1684	sc.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\ = "ZKEMKeeper 6.0 Control"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Util.dll\NServiceKit.Interfaces,Version="1.0.0.0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e005900660032003900610027007100580079006200470058006100260029005100480077005f00270000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Util.dll\itextsharp,Version="5.5.6.0",PublicKeyToken="8354AE6D2174DDCA",Culture="neutral",FileVersion="5.5.6.0",ProcessorArchitecture="MSIL" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e005f0079007200640065006a002700570025006d002b002a0063005500460053007a0079002800560000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ = "CZKEM Object"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib\ = "{FE9DED34-E159-408E-8490-B720A5E632C7}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\TypeLib\ = "{FE9DED34-E159-408E-8490-B720A5E632C7}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|en-BR\|Util.resources.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Util.dll\MsgPack,Version="0.9.0.0",PublicKeyToken="A2625990D5DC0167",Culture="neutral",FileVersion="0.9.144.0",ProcessorArchitecture="MSIL" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e0069003d004700330044002a00400062004c0028002b005a0044004a0024002700240033002e002d0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM.1\CLSID\ = "{00853A19-BD51-419B-9269-2DABE57EB61F}"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|NotifyMDConnect.exe\Rebex.Ftp,Version="5.0.7357.0",PublicKeyToken="1C4638788972655D",Culture="neutral",FileVersion="5.0.7357.0",ProcessorArchitecture = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e00720044007d007d0043003000420032006f004a0053002100280065003d007b0078004d006e00210000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4498E3485604141479C8EF106AEBC073\Version = "84148247"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib\ = "{FE9DED34-E159-408E-8490-B720A5E632C7}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Microsoft.Practices.ServiceLocation.dll\Microsoft.Practices.ServiceLocation,Version="1.0.0.0",PublicKeyToken="31BF3856AD364E35",Culture="neutral",Fil = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e004900440026005d006f00340025004100710039002e00310051004800680047004c0024007900660000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Iesi.Collections.dll	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|NotifyMDConnect.exe\NHttp,Version="0.1.9.0",PublicKeyToken="156364E4F7B202D9",Culture="neutral",FileVersion="0.1.9.0",ProcessorArchitecture="X86" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e006400670021003500560065004100730042003f0035006b0046004a0070006900250021006c00740000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\VersionIndependentProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\VersionIndependentProgID\ = "zkemkeeper.ZKEM"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\TypeLib\ = "{FE9DED34-E159-408E-8490-B720A5E632C7}"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|FluentFTP.dll\FluentFTP,Version="23.1.0.0",PublicKeyToken="F4AF092B1D8DF44F",Culture="neutral",FileVersion="23.1.0.0",ProcessorArchitecture="MSIL" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e00740074006d006e0033005a0048005300560040004d0042003600500035005200480055002500490000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4498E3485604141479C8EF106AEBC073	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ProgID\ = "zkemkeeper.ZKEM.1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Inttelix.Device.dll\Inttelix.Device,Version="3.6.1.0",PublicKeyToken="76AE8F5EA0678EC3",Culture="neutral",FileVersion="3.6.1.0",ProcessorArchitecture = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e007200240060006900660079002400540076003d0025003f0044007b006e0074007b006c0065004f0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|NHibernate.dll\NHibernate,Version="1.2.1.4000",PublicKeyToken="AA95F207798DFDB4",Culture="neutral",FileVersion="1.2.1.4000",ProcessorArchitecture="MS = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e00730042007a00430066005a0072005b002e0040005a005100490079006f007800400028003700480000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|SecurityRep.dll\SecurityRep,Version="1.0.0.0",PublicKeyToken="429D4908CC20F9A0",Culture="neutral",FileVersion="1.0.0.0",ProcessorArchitecture="MSIL" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e00520029005000600071004e006600540060003d006e0053004f00670031003f005f0033007300320000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4498E3485604141479C8EF106AEBC073\PackageCode = "258CCFB98AE4A0941AD7E5560AEA53D4"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4498E3485604141479C8EF106AEBC073\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\MiscStatus\1\ = "131473"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Interop.BioBridgeSDKLib.DLL\Interop.BioBridgeSDKLib,Version="1.0.0.0",PublicKeyToken="10B4CCB400CB4892",Culture="neutral",FileVersion="1.0.0.0",Proce = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e0045004d0041007500300031004a00640046003d0052002a007e00740077007d00210028004e00660000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Common.Logging.dll\Common.Logging,Version="1.2.0.0",PublicKeyToken="AF08829B84F0328E",Culture="neutral",FileVersion="1.2.0.0" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e007d0071003d0033004d0050004e0033004d003d004300260062006d004c0032004e0025005d00690000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4498E3485604141479C8EF106AEBC073\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\MiscStatus\1	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|pt-PT\|NotifyConnect.resources.dll\NotifyConnect.resources,Version="5.4.23.0",Culture="pt-PT",FileVersion="5.4.23.0",ProcessorArchitecture="X86" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e0060002d0040006f00600075006900520028003f00440050004300470028006300520031007e00790000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\ProgID\ = "zkemkeeper.ZKEM.1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ProxyStubClsid32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Util.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|ConnectNewPoint.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\Version\ = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE9DED34-E159-408E-8490-B720A5E632C7}\1.0\0	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|NHibernate.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Inttelix.Device.FaceAccess.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\MiscStatus\1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\TypeLib\Version = "1.0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Microsoft.Practices.Unity.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM\ = "CZKEM Object"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00853A19-BD51-419B-9269-2DABE57EB61F}\InprocServer32\InprocServer32 = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e006600480054005f00400066003500440056003f004c003d0072006e003400400055006d004a007a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\zkemkeeper.ZKEM.1\ = "CZKEM Object"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{FE9DED34-E159-408E-8490-B720A5E632C7}	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|WatchComm.dll\WatchComm,Version="3.12.0.0",PublicKeyToken="DC1B8E1E76F25A13",Culture="neutral",FileVersion="3.12.0.0",ProcessorArchitecture="X86" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e00480044002a004400610042002800310047003f00350055006d00760058007900540042007100320000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|ConnectNewPointClient.exe	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|Util.dll\System.Web.Extensions,Version="3.5.0.0",PublicKeyToken="31BF3856AD364E35",Culture="neutral",FileVersion="3.5.30729.5458",ProcessorArchitectu = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e0070006f00210036005f005e004f00560067005100720057006a00520024007a004600710067004b0000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|NotifyMDConnect.exe\Rebex.Common,Version="5.0.7357.0",PublicKeyToken="1C4638788972655D",Culture="neutral",FileVersion="5.0.7357.0",ProcessorArchitect = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e00470024004800390068007b00270063002700590027007e00620075006c005700590029003200340000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D0F3750AA513FDC4E94033E249E523E6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF83B580-5D32-4C65-B44E-BEDC750CDFA8}\TypeLib	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{102F4206-E43D-4FC9-BAB0-331CFFE4D25B}\ = "IZKEM"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\zkemkeeper.DLL\AppID = "{FE9DED34-E159-408E-8490-B720A5E632C7}"	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Program Files (x86)\|NotifyConnect\|NotifyConnect\|NotifyConnect.dll\NotifyConnect,Version="5.4.23.0",Culture="neutral",FileVersion="5.4.23.0",ProcessorArchitecture="X86" = 640038006a005200520050006a0063007b0038004c00270051005f0021007d004c007500630035003e007000490047007d00320077004f007a00430041002a006800270054004f0034004100720027005a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4498E3485604141479C8EF106AEBC073\Instalador_KairosConnec	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2044	msiexec.exe
2044	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2456	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2456	MSIEXEC.EXE
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeSecurityPrivilege	2044	msiexec.exe
Token: SeCreateTokenPrivilege	2456	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2456	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2456	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2456	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2456	MSIEXEC.EXE
Token: SeTcbPrivilege	2456	MSIEXEC.EXE
Token: SeSecurityPrivilege	2456	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2456	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2456	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2456	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2456	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2456	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2456	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2456	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2456	MSIEXEC.EXE
Token: SeBackupPrivilege	2456	MSIEXEC.EXE
Token: SeRestorePrivilege	2456	MSIEXEC.EXE
Token: SeShutdownPrivilege	2456	MSIEXEC.EXE
Token: SeDebugPrivilege	2456	MSIEXEC.EXE
Token: SeAuditPrivilege	2456	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2456	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2456	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2456	MSIEXEC.EXE
Token: SeUndockPrivilege	2456	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2456	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2456	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2456	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2456	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2456	MSIEXEC.EXE
Token: SeBackupPrivilege	2840	vssvc.exe
Token: SeRestorePrivilege	2840	vssvc.exe
Token: SeAuditPrivilege	2840	vssvc.exe
Token: SeBackupPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	1616	DrvInst.exe
Token: SeLoadDriverPrivilege	1616	DrvInst.exe
Token: SeLoadDriverPrivilege	1616	DrvInst.exe
Token: SeLoadDriverPrivilege	1616	DrvInst.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2456	MSIEXEC.EXE
2456	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2456	2208	NotifyConnect.exe	28
PID 2208 wrote to memory of 2456	2208	NotifyConnect.exe	28
PID 2208 wrote to memory of 2456	2208	NotifyConnect.exe	28
PID 2208 wrote to memory of 2456	2208	NotifyConnect.exe	28
PID 2208 wrote to memory of 2456	2208	NotifyConnect.exe	28
PID 2208 wrote to memory of 2456	2208	NotifyConnect.exe	28
PID 2208 wrote to memory of 2456	2208	NotifyConnect.exe	28
PID 2044 wrote to memory of 1588	2044	msiexec.exe	33
PID 2044 wrote to memory of 1588	2044	msiexec.exe	33
PID 2044 wrote to memory of 1588	2044	msiexec.exe	33
PID 2044 wrote to memory of 1588	2044	msiexec.exe	33
PID 2044 wrote to memory of 1588	2044	msiexec.exe	33
PID 2044 wrote to memory of 1588	2044	msiexec.exe	33
PID 2044 wrote to memory of 1588	2044	msiexec.exe	33
PID 2044 wrote to memory of 2824	2044	msiexec.exe	34
PID 2044 wrote to memory of 2824	2044	msiexec.exe	34
PID 2044 wrote to memory of 2824	2044	msiexec.exe	34
PID 2044 wrote to memory of 2824	2044	msiexec.exe	34
PID 2044 wrote to memory of 2824	2044	msiexec.exe	34
PID 2044 wrote to memory of 2824	2044	msiexec.exe	34
PID 2044 wrote to memory of 2824	2044	msiexec.exe	34
PID 2044 wrote to memory of 1056	2044	msiexec.exe	35
PID 2044 wrote to memory of 1056	2044	msiexec.exe	35
PID 2044 wrote to memory of 1056	2044	msiexec.exe	35
PID 1056 wrote to memory of 1684	1056	cmd.exe	37
PID 1056 wrote to memory of 1684	1056	cmd.exe	37
PID 1056 wrote to memory of 1684	1056	cmd.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NotifyConnect.exe
"C:\Users\Admin\AppData\Local\Temp\NotifyConnect.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{9BFCC852-4EA8-490A-A17D-5E65A0AE354D}\MdConnect_Desktop.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="NotifyConnect.exe"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2456

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1245647C28C2438D7E9A591C1248674
  2⤵
  - Loads dropped DLL
  PID:1588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CBA17F4DCC4D0A32EB549D9DB31DC22 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2824
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\Windows\system32\sc.exe failure ConnectNewPoint actions= restart/60000/restart/60000/restart/60000 reset= 86400"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe failure ConnectNewPoint actions= restart/60000/restart/60000/restart/60000 reset= 86400
    3⤵
    - Launches sc.exe
    PID:1684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005A0" "00000000000003D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7657c3.rbs

Filesize
84KB

MD5
4a861f15a0684a009bd072495f95f479

SHA1
ea544c52d9de424529d5dc26cfab796120f8ade9

SHA256
f3de61b5f27b87e6305d9c436d77da9979358f7fddb31bc2755854e932b22af5

SHA512
86b317d4af4c1bb1d5fb72a1e651d7e43d6b2b23c37b707bf14efe4d3e9befe5f1a2606c640c7188e605eb29044740cabd4ecd87df6cb8e2c64e63ae9ec1176c

Download Submit
C:\Program Files (x86)\NotifyConnect\NotifyConnect\Util.dll

Filesize
351KB

MD5
8d5ab55c254db8746c1c362ef6683e37

SHA1
df393abef1656973f504271b9ae5bfcb0168b052

SHA256
f4555f780ea3839002164f0a5c0b335c588021fdbce55ec468972f8f5defcf34

SHA512
420c38590ef1bd1c264594cbe581fd3051c2ff8e0f026b1e03dfa36620984f71b2f1318a32b81c43993494580d1a7425732a802028e521544f62f917084ec806

Download Submit
C:\Program Files (x86)\NotifyConnect\NotifyConnect\commpro.dll

Filesize
64KB

MD5
b9f966cb62f10d2bfb7502d4657086db

SHA1
ae00304a88b1d417ecfcaf4ff6f9ad9d73f6bca2

SHA256
0c80d7f107a4ea865d3d42660b6082867f6f2c7da460fdaeef5643c2145f7298

SHA512
a4bb23fe1e568c87f6b1a09443b1e4e2d1503ac5a6fab45e5d6a461069ee0b8507bb51b0e2a72740c27454b25f2e262ad70dc14d6b5552be95a168b88cf6107a

Download Submit
C:\Program Files (x86)\NotifyConnect\NotifyConnect\zkemkeeper.dll

Filesize
459KB

MD5
e62a4d02a1a911eb9c5f7638604d028b

SHA1
d30e336a74659db3a91c3b0c89b316054663ba1c

SHA256
d78bc689c8603df783994c1dcc116dca7a1698326f9bf0feb9f8318842bf3d1c

SHA512
ac192e0f661be928048e80a38537c912f8e5e3a92835bc45bef1d1a329fe3494758dcd43d6afcdc07d841c6ed5b66c99c92ca034414138ef12e89d272f69fa01

Download Submit
C:\Program Files (x86)\NotifyConnect\NotifyConnect\zkemsdk.dll

Filesize
215KB

MD5
8494ace342c7548184f126344243896d

SHA1
7559632376e294b3d2af06f64b2de260b618f89d

SHA256
187aedc01a7d76c8c6476329c5b36954a1a9fa867238df1c26f70f217153f5e4

SHA512
06928ea3a7092d603c9077d8dac7c52786bfd69f9324c32351cd9a5a371544cdc1a945fb4312b02da1d2848e8bfad555b83819453643cf4a5fad7c637e653ccc

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{9BFCC852-4EA8-490A-A17D-5E65A0AE354D}\MdConnect_Desktop.msi

Filesize
13.7MB

MD5
16cbe8c063e2571a14885fcb465f470c

SHA1
f02b7ffbfe4313585a3eab98aecf38246a69ce32

SHA256
7ac1f4f46846ea1dc120802a8ff3d8b129ee579f2a8ef4f8885842530636d117

SHA512
4186bfae917f1eb9dd4679ce228f3efbbe9340c1c871f4c160e262cf8f40653b73f5488d7b87701e46c0004a03c4034d4ebfe6eb2235ff38e453072578f5969e

Download Submit
C:\Users\Admin\AppData\Local\Downloaded Installations\{9BFCC852-4EA8-490A-A17D-5E65A0AE354D}\MdConnect_Desktop.msi

Filesize
9.2MB

MD5
abe88a1e2659dc9f659d04d6b9535f7a

SHA1
849a2a33e4773ee9a08f93e529b95ce7fdc82a68

SHA256
59f17807af6d8aa9a5bb3882f0944ed105e696c95662c0dde8f4170abdecd2a4

SHA512
a8a31e6d7d13a8f1e2de38f031b1d74f1b4ede57496e217e985a9a54f42a2c6c67c02eee042aa96a3218c08fde9546e7743961e6861665e2c62cd3e21e8036ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_isD02.tmp

Filesize
1KB

MD5
4703a131510955e0e14974f0bcc626b2

SHA1
69b710fccb792684a5694b69a0e86d4e3c7eae9c

SHA256
5006934220d17a4b5f02f3cdc607acd222420a68aef3ea4fc46a1c6ce93158b3

SHA512
126eb7a227e73edc4c2065c4bfff47402857b3aa0dfe8770b79fe7ba8f4d5c44c32d414f0cadfcdcf53f141b3f1da72a06e70eda00944a1e2fd5e55058aa4998

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8AED750-ED9B-4A25-BAD3-EE2ABA4AB23A}\0x0416.ini

Filesize
14KB

MD5
69f04b48601cd07f01cf4f6e364ecdb8

SHA1
5d8260e533fdc9576f33a1f013f3739c144ad612

SHA256
3a56a6e10eec747b4e1c0b4bae2aa8d3eaff840254ab23c9748512777adb1159

SHA512
6eaa7ced5299d7e1e5068d3fa4b2a0d31a40ad02e71e646ed40e4bb339e36f36a5dec50936e851d7ec3d871c47ccb42119e5233c3bee1b3d8c2fe276e3d3018a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8AED750-ED9B-4A25-BAD3-EE2ABA4AB23A}\Setup.INI

Filesize
2KB

MD5
435628c19ba43f37335682223fa05e32

SHA1
d5a4e945926654f68b0ef2bc4d06248233e27600

SHA256
44c9fec2539858c2a12366571a20991559398548890d8c97fc3aec9d612ff832

SHA512
566c19d4a1f47ad1320266fed3cf2fae7de3caf6cbf4d814eab78dadc72b824633265648235c5260a14b4bb3291f56b6a5dc621244617be248ec7a9b219346bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{D8AED750-ED9B-4A25-BAD3-EE2ABA4AB23A}\_ISMSIDEL.INI

Filesize
11B

MD5
3fdd2635aa94921522af8186f3c3d736

SHA1
0fe63553e9f993c0cb2cb36b8cdcfba4f4a2650d

SHA256
17ad78845c9c6a8e97a5bd14be56700a51ee85867c979ed6cf538e1fed82cf7c

SHA512
ebdbeefbdc777937fce516a1cbd9af7c305fc242091d695ad919a27c98fac5b6b16b44130bdf97dbfd10561cce701180b1fbb303d848944c3b33b8a3c058653a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5908.tmp

Filesize
323B

MD5
6d7f32005a3839edce48e38ddf630c22

SHA1
c3bbd41cc08a3b2eeb1825478316118716b2c168

SHA256
df5ba60e9309ded0e4beda62ae82a9de05a2a11bd7dbf1169f23852c34181c46

SHA512
ba61ecc5f43f039a4d4f56d4c0edb2fb8ce297cc38079e86ecda124fe8c1d3182fbbd2ed5a6e521b4c7c389e46614f393154ea4cb48a3f9e7e6968fea85f8803

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5908.tmp

Filesize
320B

MD5
c7ffe2f9a1902c553beb6639cb0dd89a

SHA1
aa7e182ffc401872af768c5d535ceb38e845fc95

SHA256
01cb7bd95bc2f59e423b3ee55e2de4711d62110822c1700adfd0cd45e2769385

SHA512
e71cfcb24a7cfe52d35399febd1d1f8454a0b4f312b9a0015ad7fa3e282e0ed72269da7627d967822a2166a7c1580a107ed69ce29e900bf139e63e9055e22cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5908.tmp

Filesize
329B

MD5
141936c30d63643e19320ddcc34aca06

SHA1
e2ab2a1a05785d7ae3e85ddc5edb6c4cf2cec707

SHA256
74e74f8e332a98d0abe3cb681859a2daa138c6f59b5e9be1a9e0fe1f7c59b530

SHA512
eabd7b060ed7a5626848f71c6edd487211de2f928867bd88f941187db1569048f6f8cc464915eede0b840e630df1e2cb66c875948a0ccec4e32fd81dc6e9d582

Download Submit
C:\Windows\Installer\MSI58AC.tmp

Filesize
161KB

MD5
03c0e661e724c8c2ea958ea6c8399b4b

SHA1
84aec5b716199c3e95b979c2b8614af7dc1a4780

SHA256
655e34000815dac7c76a7d31a0d60a9e0b7bcf4952fddc0fb3242aaeb9cc30dd

SHA512
a2cd6a2c1d993c69c9c64fb7dfea5c0f912dd1fa361665a771a3d2aa7e259cd2bbaa2235f560fdeaecc82fc66933605bf787ea62c2eb876506a129b59f8d8c76

Download Submit
memory/2824-208-0x0000000002040000-0x00000000020B8000-memory.dmp

Filesize
480KB

Download
memory/2824-212-0x0000000000610000-0x000000000064B000-memory.dmp

Filesize
236KB

Download
memory/2824-216-0x0000000000280000-0x0000000000296000-memory.dmp

Filesize
88KB

Download