Analysis

  • max time kernel
    26s
  • max time network
    24s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 11:22

Errors

Reason
Machine shutdown

General

  • Target

    nfd49_64.msi

  • Size

    14.4MB

  • MD5

    28be818ac9500048abe00f46c93def8c

  • SHA1

    11dd4516325e2d032f07f8a90aa66c035fb48c3c

  • SHA256

    6468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0

  • SHA512

    55f80e299a0e548586100a6cbd1d5af0741a5d1e19b67648fb2a2fe51c6e43475e9066386711c824750cb4a3331c5c7d5208d5037dcfa1f873f1679738baa12f

  • SSDEEP

    393216:+/j2n3TlfPqX5sL1AAaB1/s7qUYCGMkqT2LY:T3TBoyQ+aA6

Malware Config

Signatures

  • Creates new service(s) 2 TTPs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 64 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 46 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nfd49_64.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2232
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 15D74EDB325251712746DFC9D0D9F174 M Global\MSI0000
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Program Files directory
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Windows\system32\cmd.exe
        cmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1900
        • C:\Program Files (x86)\Windows NT\7za.exe
          7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
          4⤵
          • Drops file in Program Files directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: CmdExeWriteProcessMemorySpam
          PID:1496
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c shutdown -f -r -t 00
        3⤵
          PID:1608
          • C:\Windows\system32\shutdown.exe
            shutdown -f -r -t 00
            4⤵
              PID:408
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E0" "00000000000003C0"
        1⤵
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
      • C:\Windows\system32\cmd.exe
        cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1252
        • C:\Windows\system32\sc.exe
          sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
          2⤵
          • Launches sc.exe
          PID:780
      • C:\Windows\system32\cmd.exe
        cmd /c start sc start CleverSoar
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1512
        • C:\Windows\system32\sc.exe
          sc start CleverSoar
          2⤵
          • Launches sc.exe
          PID:1172
      • C:\Windows\system32\cmd.exe
        cmd /c start sc start CleverSoar
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\system32\sc.exe
          sc start CleverSoar
          2⤵
            PID:2904
        • C:\Windows\system32\cmd.exe
          cmd /c start sc start CleverSoar
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1608
          • C:\Windows\system32\sc.exe
            sc start CleverSoar
            2⤵
            • Launches sc.exe
            PID:2116
        • C:\Windows\system32\cmd.exe
          cmd /c start sc start CleverSoar
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2496
          • C:\Windows\system32\sc.exe
            sc start CleverSoar
            2⤵
            • Launches sc.exe
            PID:2488
        • C:\Windows\system32\cmd.exe
          cmd /c start sc start CleverSoar
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1976
          • C:\Windows\system32\sc.exe
            sc start CleverSoar
            2⤵
              PID:2372
          • C:\Windows\system32\cmd.exe
            cmd /c start sc start CleverSoar
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:2384
            • C:\Windows\system32\sc.exe
              sc start CleverSoar
              2⤵
              • Launches sc.exe
              PID:604
          • C:\Windows\system32\cmd.exe
            cmd /c start sc start CleverSoar
            1⤵
            • Suspicious use of WriteProcessMemory
            PID:1064
            • C:\Windows\system32\sc.exe
              sc start CleverSoar
              2⤵
                PID:844
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1400
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:940
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2376
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:1328
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:1704
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:576
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:1016
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1828
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:2244
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2268
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:2184
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2996
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:352
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1204
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:1216
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:2012
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:328
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:1516
              • C:\Windows\system32\sc.exe
                sc start CleverSoar
                2⤵
                • Launches sc.exe
                PID:2896
            • C:\Windows\system32\cmd.exe
              cmd /c start sc start CleverSoar
              1⤵
                PID:1596
                • C:\Windows\system32\sc.exe
                  sc start CleverSoar
                  2⤵
                  • Launches sc.exe
                  PID:2536
              • C:\Windows\system32\cmd.exe
                cmd /c start sc start CleverSoar
                1⤵
                  PID:2396
                  • C:\Windows\system32\sc.exe
                    sc start CleverSoar
                    2⤵
                      PID:1908
                  • C:\Windows\system32\cmd.exe
                    cmd /c start sc start CleverSoar
                    1⤵
                      PID:2948
                      • C:\Windows\system32\sc.exe
                        sc start CleverSoar
                        2⤵
                        • Launches sc.exe
                        PID:2080
                    • C:\Windows\system32\cmd.exe
                      cmd /c start sc start CleverSoar
                      1⤵
                        PID:2908
                        • C:\Windows\system32\sc.exe
                          sc start CleverSoar
                          2⤵
                            PID:2456
                        • C:\Windows\system32\cmd.exe
                          cmd /c start sc start CleverSoar
                          1⤵
                            PID:2744
                            • C:\Windows\system32\sc.exe
                              sc start CleverSoar
                              2⤵
                              • Launches sc.exe
                              PID:2672
                          • C:\Windows\system32\cmd.exe
                            cmd /c start sc start CleverSoar
                            1⤵
                              PID:3028
                              • C:\Windows\system32\sc.exe
                                sc start CleverSoar
                                2⤵
                                • Launches sc.exe
                                PID:3024
                            • C:\Windows\system32\cmd.exe
                              cmd /c start sc start CleverSoar
                              1⤵
                                PID:2196
                                • C:\Windows\system32\sc.exe
                                  sc start CleverSoar
                                  2⤵
                                  • Launches sc.exe
                                  PID:2392
                              • C:\Windows\system32\cmd.exe
                                cmd /c start sc start CleverSoar
                                1⤵
                                  PID:2432
                                  • C:\Windows\system32\sc.exe
                                    sc start CleverSoar
                                    2⤵
                                    • Launches sc.exe
                                    PID:2032
                                • C:\Windows\system32\cmd.exe
                                  cmd /c start sc start CleverSoar
                                  1⤵
                                    PID:1916
                                    • C:\Windows\system32\sc.exe
                                      sc start CleverSoar
                                      2⤵
                                      • Launches sc.exe
                                      PID:1484
                                  • C:\Windows\system32\cmd.exe
                                    cmd /c start sc start CleverSoar
                                    1⤵
                                      PID:1360
                                      • C:\Windows\system32\sc.exe
                                        sc start CleverSoar
                                        2⤵
                                        • Launches sc.exe
                                        PID:1220
                                    • C:\Windows\system32\cmd.exe
                                      cmd /c start sc start CleverSoar
                                      1⤵
                                        PID:1752
                                        • C:\Windows\system32\sc.exe
                                          sc start CleverSoar
                                          2⤵
                                          • Launches sc.exe
                                          PID:780
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c start sc start CleverSoar
                                        1⤵
                                          PID:1980
                                          • C:\Windows\system32\sc.exe
                                            sc start CleverSoar
                                            2⤵
                                            • Launches sc.exe
                                            PID:1920
                                        • C:\Windows\system32\cmd.exe
                                          cmd /c start sc start CleverSoar
                                          1⤵
                                            PID:1900
                                            • C:\Windows\system32\sc.exe
                                              sc start CleverSoar
                                              2⤵
                                                PID:2128
                                            • C:\Windows\system32\cmd.exe
                                              cmd /c start sc start CleverSoar
                                              1⤵
                                                PID:2852
                                                • C:\Windows\system32\sc.exe
                                                  sc start CleverSoar
                                                  2⤵
                                                  • Launches sc.exe
                                                  PID:1100
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c start sc start CleverSoar
                                                1⤵
                                                  PID:2856
                                                  • C:\Windows\system32\sc.exe
                                                    sc start CleverSoar
                                                    2⤵
                                                    • Launches sc.exe
                                                    PID:1608
                                                • C:\Windows\system32\cmd.exe
                                                  cmd /c start sc start CleverSoar
                                                  1⤵
                                                    PID:2472
                                                    • C:\Windows\system32\sc.exe
                                                      sc start CleverSoar
                                                      2⤵
                                                      • Launches sc.exe
                                                      PID:2496
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /c start sc start CleverSoar
                                                    1⤵
                                                      PID:1976
                                                      • C:\Windows\system32\sc.exe
                                                        sc start CleverSoar
                                                        2⤵
                                                        • Launches sc.exe
                                                        PID:2332
                                                    • C:\Windows\system32\cmd.exe
                                                      cmd /c start sc start CleverSoar
                                                      1⤵
                                                        PID:2696
                                                        • C:\Windows\system32\sc.exe
                                                          sc start CleverSoar
                                                          2⤵
                                                            PID:652
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd /c start sc start CleverSoar
                                                          1⤵
                                                            PID:2312
                                                            • C:\Windows\system32\sc.exe
                                                              sc start CleverSoar
                                                              2⤵
                                                              • Launches sc.exe
                                                              PID:964
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd /c start sc start CleverSoar
                                                            1⤵
                                                              PID:2004
                                                              • C:\Windows\system32\sc.exe
                                                                sc start CleverSoar
                                                                2⤵
                                                                • Launches sc.exe
                                                                PID:940
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd /c start sc start CleverSoar
                                                              1⤵
                                                                PID:1588
                                                                • C:\Windows\system32\sc.exe
                                                                  sc start CleverSoar
                                                                  2⤵
                                                                  • Launches sc.exe
                                                                  PID:1748
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /c start sc start CleverSoar
                                                                1⤵
                                                                  PID:1704
                                                                  • C:\Windows\system32\sc.exe
                                                                    sc start CleverSoar
                                                                    2⤵
                                                                    • Launches sc.exe
                                                                    PID:1000
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd /c start sc start CleverSoar
                                                                  1⤵
                                                                    PID:1444
                                                                    • C:\Windows\system32\sc.exe
                                                                      sc start CleverSoar
                                                                      2⤵
                                                                        PID:1016
                                                                    • C:\Windows\system32\cmd.exe
                                                                      cmd /c start sc start CleverSoar
                                                                      1⤵
                                                                        PID:2328
                                                                        • C:\Windows\system32\sc.exe
                                                                          sc start CleverSoar
                                                                          2⤵
                                                                          • Launches sc.exe
                                                                          PID:2268
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /c start sc start CleverSoar
                                                                        1⤵
                                                                          PID:2988
                                                                          • C:\Windows\system32\sc.exe
                                                                            sc start CleverSoar
                                                                            2⤵
                                                                              PID:3016
                                                                          • C:\Windows\system32\cmd.exe
                                                                            cmd /c start sc start CleverSoar
                                                                            1⤵
                                                                              PID:1204
                                                                              • C:\Windows\system32\sc.exe
                                                                                sc start CleverSoar
                                                                                2⤵
                                                                                • Launches sc.exe
                                                                                PID:1500
                                                                            • C:\Windows\system32\cmd.exe
                                                                              cmd /c start sc start CleverSoar
                                                                              1⤵
                                                                                PID:1992
                                                                                • C:\Windows\system32\sc.exe
                                                                                  sc start CleverSoar
                                                                                  2⤵
                                                                                  • Launches sc.exe
                                                                                  PID:2188
                                                                              • C:\Windows\system32\cmd.exe
                                                                                cmd /c start sc start CleverSoar
                                                                                1⤵
                                                                                  PID:896
                                                                                  • C:\Windows\system32\sc.exe
                                                                                    sc start CleverSoar
                                                                                    2⤵
                                                                                      PID:2056
                                                                                  • C:\Windows\system32\cmd.exe
                                                                                    cmd /c start sc start CleverSoar
                                                                                    1⤵
                                                                                      PID:1708
                                                                                      • C:\Windows\system32\sc.exe
                                                                                        sc start CleverSoar
                                                                                        2⤵
                                                                                        • Launches sc.exe
                                                                                        PID:2536
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      cmd /c start sc start CleverSoar
                                                                                      1⤵
                                                                                        PID:2172
                                                                                        • C:\Windows\system32\sc.exe
                                                                                          sc start CleverSoar
                                                                                          2⤵
                                                                                            PID:2748
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          cmd /c start sc start CleverSoar
                                                                                          1⤵
                                                                                            PID:2080
                                                                                            • C:\Windows\system32\sc.exe
                                                                                              sc start CleverSoar
                                                                                              2⤵
                                                                                              • Launches sc.exe
                                                                                              PID:2912
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            cmd /c start sc start CleverSoar
                                                                                            1⤵
                                                                                              PID:2192
                                                                                              • C:\Windows\system32\sc.exe
                                                                                                sc start CleverSoar
                                                                                                2⤵
                                                                                                • Launches sc.exe
                                                                                                PID:2640
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              cmd /c start sc start CleverSoar
                                                                                              1⤵
                                                                                                PID:2612
                                                                                                • C:\Windows\system32\sc.exe
                                                                                                  sc start CleverSoar
                                                                                                  2⤵
                                                                                                  • Launches sc.exe
                                                                                                  PID:3028
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                cmd /c start sc start CleverSoar
                                                                                                1⤵
                                                                                                  PID:2388
                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                    sc start CleverSoar
                                                                                                    2⤵
                                                                                                    • Launches sc.exe
                                                                                                    PID:2044
                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                  cmd /c start sc start CleverSoar
                                                                                                  1⤵
                                                                                                    PID:2432
                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                      sc start CleverSoar
                                                                                                      2⤵
                                                                                                      • Launches sc.exe
                                                                                                      PID:1732
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    cmd /c start sc start CleverSoar
                                                                                                    1⤵
                                                                                                      PID:1396
                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                        sc start CleverSoar
                                                                                                        2⤵
                                                                                                          PID:2500
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        cmd /c start sc start CleverSoar
                                                                                                        1⤵
                                                                                                          PID:1736
                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                            sc start CleverSoar
                                                                                                            2⤵
                                                                                                            • Launches sc.exe
                                                                                                            PID:2516
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          cmd /c start sc start CleverSoar
                                                                                                          1⤵
                                                                                                            PID:2008
                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                              sc start CleverSoar
                                                                                                              2⤵
                                                                                                              • Launches sc.exe
                                                                                                              PID:780
                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                            cmd /c start sc start CleverSoar
                                                                                                            1⤵
                                                                                                              PID:1480
                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                sc start CleverSoar
                                                                                                                2⤵
                                                                                                                • Launches sc.exe
                                                                                                                PID:1764
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              cmd /c start sc start CleverSoar
                                                                                                              1⤵
                                                                                                                PID:2128
                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                  sc start CleverSoar
                                                                                                                  2⤵
                                                                                                                  • Launches sc.exe
                                                                                                                  PID:1784
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                cmd /c start sc start CleverSoar
                                                                                                                1⤵
                                                                                                                  PID:996
                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                    sc start CleverSoar
                                                                                                                    2⤵
                                                                                                                    • Launches sc.exe
                                                                                                                    PID:608
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  cmd /c start sc start CleverSoar
                                                                                                                  1⤵
                                                                                                                    PID:2300
                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                      sc start CleverSoar
                                                                                                                      2⤵
                                                                                                                      • Launches sc.exe
                                                                                                                      PID:2472
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    cmd /c start sc start CleverSoar
                                                                                                                    1⤵
                                                                                                                      PID:112
                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                        sc start CleverSoar
                                                                                                                        2⤵
                                                                                                                        • Launches sc.exe
                                                                                                                        PID:1664
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      cmd /c start sc start CleverSoar
                                                                                                                      1⤵
                                                                                                                        PID:2696
                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                          sc start CleverSoar
                                                                                                                          2⤵
                                                                                                                            PID:2928
                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                          cmd /c start sc start CleverSoar
                                                                                                                          1⤵
                                                                                                                            PID:1636
                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                              sc start CleverSoar
                                                                                                                              2⤵
                                                                                                                              • Launches sc.exe
                                                                                                                              PID:2280
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            cmd /c start sc start CleverSoar
                                                                                                                            1⤵
                                                                                                                              PID:2504
                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                sc start CleverSoar
                                                                                                                                2⤵
                                                                                                                                • Launches sc.exe
                                                                                                                                PID:1720
                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                              cmd /c start sc start CleverSoar
                                                                                                                              1⤵
                                                                                                                                PID:2924
                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                  sc start CleverSoar
                                                                                                                                  2⤵
                                                                                                                                  • Launches sc.exe
                                                                                                                                  PID:1748
                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                cmd /c start sc start CleverSoar
                                                                                                                                1⤵
                                                                                                                                  PID:1568
                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                    sc start CleverSoar
                                                                                                                                    2⤵
                                                                                                                                      PID:1824
                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                    cmd /c start sc start CleverSoar
                                                                                                                                    1⤵
                                                                                                                                      PID:1016
                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                        sc start CleverSoar
                                                                                                                                        2⤵
                                                                                                                                        • Launches sc.exe
                                                                                                                                        PID:2480
                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                      cmd /c start sc start CleverSoar
                                                                                                                                      1⤵
                                                                                                                                        PID:3012
                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                          sc start CleverSoar
                                                                                                                                          2⤵
                                                                                                                                          • Launches sc.exe
                                                                                                                                          PID:2996
                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                        cmd /c start sc start CleverSoar
                                                                                                                                        1⤵
                                                                                                                                          PID:1780
                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                            sc start CleverSoar
                                                                                                                                            2⤵
                                                                                                                                            • Launches sc.exe
                                                                                                                                            PID:1204
                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                          cmd /c start sc start CleverSoar
                                                                                                                                          1⤵
                                                                                                                                            PID:2980
                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                              sc start CleverSoar
                                                                                                                                              2⤵
                                                                                                                                                PID:2688
                                                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                                                              cmd /c start sc start CleverSoar
                                                                                                                                              1⤵
                                                                                                                                                PID:896
                                                                                                                                                • C:\Windows\system32\sc.exe
                                                                                                                                                  sc start CleverSoar
                                                                                                                                                  2⤵
                                                                                                                                                  • Launches sc.exe
                                                                                                                                                  PID:1644
                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                cmd /c start sc start CleverSoar
                                                                                                                                                1⤵
                                                                                                                                                  PID:2396
                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                    sc start CleverSoar
                                                                                                                                                    2⤵
                                                                                                                                                    • Launches sc.exe
                                                                                                                                                    PID:2716
                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                  cmd /c start sc start CleverSoar
                                                                                                                                                  1⤵
                                                                                                                                                    PID:1908
                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                      sc start CleverSoar
                                                                                                                                                      2⤵
                                                                                                                                                      • Launches sc.exe
                                                                                                                                                      PID:1668
                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                    cmd /c start sc start CleverSoar
                                                                                                                                                    1⤵
                                                                                                                                                      PID:1292
                                                                                                                                                      • C:\Windows\system32\sc.exe
                                                                                                                                                        sc start CleverSoar
                                                                                                                                                        2⤵
                                                                                                                                                        • Launches sc.exe
                                                                                                                                                        PID:2912
                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                      cmd /c start sc start CleverSoar
                                                                                                                                                      1⤵
                                                                                                                                                        PID:2824
                                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                                          sc start CleverSoar
                                                                                                                                                          2⤵
                                                                                                                                                          • Launches sc.exe
                                                                                                                                                          PID:2568
                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                        cmd /c start sc start CleverSoar
                                                                                                                                                        1⤵
                                                                                                                                                          PID:3028
                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                            sc start CleverSoar
                                                                                                                                                            2⤵
                                                                                                                                                            • Launches sc.exe
                                                                                                                                                            PID:3036
                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                          cmd /c start sc start CleverSoar
                                                                                                                                                          1⤵
                                                                                                                                                            PID:1592
                                                                                                                                                            • C:\Windows\system32\sc.exe
                                                                                                                                                              sc start CleverSoar
                                                                                                                                                              2⤵
                                                                                                                                                              • Launches sc.exe
                                                                                                                                                              PID:1140
                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                            cmd /c start sc start CleverSoar
                                                                                                                                                            1⤵
                                                                                                                                                              PID:2512
                                                                                                                                                              • C:\Windows\system32\sc.exe
                                                                                                                                                                sc start CleverSoar
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:1396
                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                cmd /c start sc start CleverSoar
                                                                                                                                                                1⤵
                                                                                                                                                                  PID:2936
                                                                                                                                                                  • C:\Windows\system32\sc.exe
                                                                                                                                                                    sc start CleverSoar
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Launches sc.exe
                                                                                                                                                                    PID:1228
                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                  cmd /c start sc start CleverSoar
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:1528
                                                                                                                                                                    • C:\Windows\system32\sc.exe
                                                                                                                                                                      sc start CleverSoar
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:2008
                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                      cmd /c start sc start CleverSoar
                                                                                                                                                                      1⤵
                                                                                                                                                                        PID:2024
                                                                                                                                                                        • C:\Windows\system32\sc.exe
                                                                                                                                                                          sc start CleverSoar
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Launches sc.exe
                                                                                                                                                                          PID:1032
                                                                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                                                                        cmd /c start sc start CleverSoar
                                                                                                                                                                        1⤵
                                                                                                                                                                          PID:2128
                                                                                                                                                                          • C:\Windows\system32\sc.exe
                                                                                                                                                                            sc start CleverSoar
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:2596
                                                                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                                                                            cmd /c start shutdown -f -r -t 00
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:2116
                                                                                                                                                                              • C:\Windows\system32\shutdown.exe
                                                                                                                                                                                shutdown -f -r -t 00
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:2856
                                                                                                                                                                              • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                "LogonUI.exe" /flags:0x0
                                                                                                                                                                                1⤵
                                                                                                                                                                                  PID:2788
                                                                                                                                                                                • C:\Windows\system32\LogonUI.exe
                                                                                                                                                                                  "LogonUI.exe" /flags:0x1
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:1748

                                                                                                                                                                                  Network

                                                                                                                                                                                  MITRE ATT&CK Enterprise v15

                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                  Downloads

                                                                                                                                                                                  • C:\Config.Msi\f76e87d.rbs

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    13.8MB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    25968242527892b83da16c38e5158cb0

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    4169621dafe6a4d5e73784ef57ee715386f5038b

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    e8f5c31034be6324943433814867cad097d4358e21b3ce46054a1366d8488565

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    7710b7eec294333c6588984f9b73cb27cf801b7ea55b4348e18eaf565559ee86713a60f8f21853be96af011864dbc25b6c790d9ebaa82d2496942f059600b411

                                                                                                                                                                                  • C:\Program Files (x86)\Windows NT\7za.bin

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    577KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    f77c0b61806b6865c888592e178294c3

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    e9e0b393cc977fbdbc44fe19d92879a38a4dad0c

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12

                                                                                                                                                                                  • C:\Program Files (x86)\Windows NT\7za.exe

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    577KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    fbc6e272e89203cb9ddb3f88b4954deb

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    99026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425

                                                                                                                                                                                  • C:\Program Files (x86)\Windows NT\locale.bin

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    55KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    591cbc59b64c8592744ae5f8f02daa4b

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    3d3556785d30ec2095beee1275b708d307e90a3c

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    1b0852406450e6c369c8bdd600976fd52e4ed3d6125659ba0845ea537dad2bcb

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    99af9f665bc9f2c4751825ce5a2a2da719b6db3e811668ac555f5a2a0f7cf0e6c4e902e250751084f8b7787980cd4efe1af6251f07e6d971717fb705706c3cc9

                                                                                                                                                                                  • C:\Program Files (x86)\Windows NT\locale2.bin

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    55KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    2f2bf41e2cae24881b7353510b3b35e8

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    21babd383c1e89eed4993760e2f64ef8ea39aedd

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    826a8a6b44d5ea01cf7d23b0941e8e0591e83c9d246ccd052d6739d736f35133

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    96b878fc10c345f4090b410c51d2f6617fbaa7cd9a67c288e4e3c5c49b43a4613c030d10e89baa03d1b780ace4de0e6c7c66dbf6a7e3d92d93a16c4ce1c7845e

                                                                                                                                                                                  • C:\Program Files (x86)\Windows NT\locale3.bin

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    29KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    6177495bc3fe9c1c9ddb004cce5e51ac

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    5b2d16055a93ee4fceedc0f308f3733156f5deb8

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    5fbfd09294d7e0fc9a86964c68d646a6a74d590762b75b65ce138ce356ca1b51

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    4f725f9a75113a192aba27c96efb3c387559d64be0ee30f26cc74bd0fddc1f57ca1592054dde18fe5dd9516ab017801705b043dfa40ca3d85a6cc5f2ee9105a7

                                                                                                                                                                                  • C:\Program Files (x86)\Windows NT\locale3.dat

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    29KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    c6cd33f25c71000e089e3ba2a18e907a

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    853f963fd6edcb07e199c20eac25177f2894c5ba

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7

                                                                                                                                                                                  • C:\Program Files (x86)\Windows NT\locale4.bin

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    73KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    1ed346bcc3cc05a73f8391ffcd7f60cc

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    3df7906454103d79ab93148e9a3e8f0ed6e9c90d

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    e7b4f3562ab8e296701316291a73b0aadd9ba9f5e98c64d97fea35b21a670a21

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    e5f57a73744fecdbf2b329f6f24c816b86e883bbc56b9b9b0049271d59c39c7b677a5eea8a846c487f23f5d9c8dcf027e9df548b604cdad98fad221949f49c91

                                                                                                                                                                                  • C:\Windows\Installer\MSIEA13.tmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    13.8MB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    b847332b6221ef7b0ab9233f47934dc9

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    6dfe21baadbdfb5b4fd4c97041f333dc879f0faa

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    8239c85adbeeff92dfa7ae4d30eda9cea602c9bf13609c5db2250dbc995f9161

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    7cb582c5aa8768a2032ae1c16989f8dae4650dd5b17de025277acf373182de076a2f65d44c8e534cb55647ff206a9ed86be370d7417cdaf8a6ee6c19a68922db

                                                                                                                                                                                  • C:\Windows\Installer\f76e87b.msi

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    14.4MB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    28be818ac9500048abe00f46c93def8c

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    11dd4516325e2d032f07f8a90aa66c035fb48c3c

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    6468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    55f80e299a0e548586100a6cbd1d5af0741a5d1e19b67648fb2a2fe51c6e43475e9066386711c824750cb4a3331c5c7d5208d5037dcfa1f873f1679738baa12f

                                                                                                                                                                                  • memory/684-29-0x0000000076F20000-0x0000000076F22000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB

                                                                                                                                                                                  • memory/684-31-0x0000000076F20000-0x0000000076F22000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB

                                                                                                                                                                                  • memory/684-27-0x0000000076F20000-0x0000000076F22000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB

                                                                                                                                                                                  • memory/684-26-0x0000000076F10000-0x0000000076F12000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB

                                                                                                                                                                                  • memory/684-24-0x0000000076F10000-0x0000000076F12000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB

                                                                                                                                                                                  • memory/684-22-0x0000000076F10000-0x0000000076F12000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB