Analysis
-
max time kernel
26s -
max time network
24s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
nfd49_64.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
nfd49_64.msi
Resource
win10v2004-20241007-en
Errors
General
-
Target
nfd49_64.msi
-
Size
14.4MB
-
MD5
28be818ac9500048abe00f46c93def8c
-
SHA1
11dd4516325e2d032f07f8a90aa66c035fb48c3c
-
SHA256
6468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0
-
SHA512
55f80e299a0e548586100a6cbd1d5af0741a5d1e19b67648fb2a2fe51c6e43475e9066386711c824750cb4a3331c5c7d5208d5037dcfa1f873f1679738baa12f
-
SSDEEP
393216:+/j2n3TlfPqX5sL1AAaB1/s7qUYCGMkqT2LY:T3TBoyQ+aA6
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MsiExec.exepid Process 684 MsiExec.exe 684 MsiExec.exe -
Drops file in Program Files directory 15 IoCs
Processes:
7za.exeMsiExec.exemsiexec.exedescription ioc Process File created C:\Program Files (x86)\Windows NT\tProtect.dll 7za.exe File opened for modification C:\Program Files (x86)\Windows NT\tProtect.dll 7za.exe File opened for modification C:\Program Files (x86)\Windows NT\Update.png MsiExec.exe File created C:\Program Files (x86)\Windows NT\locale2.dat MsiExec.exe File created C:\Program Files (x86)\Windows NT\locale4.dat MsiExec.exe File created C:\Program Files (x86)\Windows NT\INIT.DAT MsiExec.exe File created C:\Program Files (x86)\Windows NT\7za.exe MsiExec.exe File created C:\Program Files (x86)\Windows NT\locale3.dat MsiExec.exe File created C:\Program Files (x86)\Windows NT\7za.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\locale.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\locale2.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\locale3.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\locale4.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\Update.png MsiExec.exe File created C:\Program Files (x86)\Windows NT\locale.dat MsiExec.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc Process File created C:\Windows\Installer\f76e87c.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE946.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEA13.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76e87b.msi msiexec.exe File created C:\Windows\Installer\f76e87e.msi msiexec.exe File opened for modification C:\Windows\Installer\f76e87c.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76e87b.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
7za.exepid Process 1496 7za.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 1704 sc.exe 2996 sc.exe 1204 sc.exe 1172 sc.exe 2496 sc.exe 964 sc.exe 2640 sc.exe 1032 sc.exe 328 sc.exe 2080 sc.exe 2332 sc.exe 1664 sc.exe 1500 sc.exe 2280 sc.exe 2488 sc.exe 2392 sc.exe 1484 sc.exe 1000 sc.exe 780 sc.exe 352 sc.exe 1220 sc.exe 608 sc.exe 1732 sc.exe 1720 sc.exe 2116 sc.exe 2184 sc.exe 2032 sc.exe 2912 sc.exe 780 sc.exe 2516 sc.exe 2472 sc.exe 1748 sc.exe 2716 sc.exe 2568 sc.exe 604 sc.exe 1608 sc.exe 940 sc.exe 2268 sc.exe 2672 sc.exe 1748 sc.exe 1784 sc.exe 2480 sc.exe 1016 sc.exe 1216 sc.exe 2896 sc.exe 2536 sc.exe 1140 sc.exe 3024 sc.exe 2536 sc.exe 1644 sc.exe 3036 sc.exe 3028 sc.exe 2044 sc.exe 780 sc.exe 2912 sc.exe 940 sc.exe 1328 sc.exe 2244 sc.exe 1100 sc.exe 1764 sc.exe 1668 sc.exe 1228 sc.exe 1920 sc.exe 2188 sc.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid Process 684 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7za.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe -
Modifies registry class 22 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49559787D3F0E8C4FB63ECDD0256A25C msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Version = "16973832" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\49559787D3F0E8C4FB63ECDD0256A25C msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\PackageName = "nfd49_64.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\ProductName = "Setup" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\PackageCode = "ABFF0937B01A87E41854A75335A0BDA6" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49559787D3F0E8C4FB63ECDD0256A25C\ProdFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList msiexec.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
7za.exepid Process 1496 7za.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
msiexec.exeMsiExec.exepid Process 1680 msiexec.exe 1680 msiexec.exe 684 MsiExec.exe 684 MsiExec.exe 684 MsiExec.exe 684 MsiExec.exe 684 MsiExec.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid Process 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 476 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid Process Token: SeShutdownPrivilege 2232 msiexec.exe Token: SeIncreaseQuotaPrivilege 2232 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeSecurityPrivilege 1680 msiexec.exe Token: SeCreateTokenPrivilege 2232 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2232 msiexec.exe Token: SeLockMemoryPrivilege 2232 msiexec.exe Token: SeIncreaseQuotaPrivilege 2232 msiexec.exe Token: SeMachineAccountPrivilege 2232 msiexec.exe Token: SeTcbPrivilege 2232 msiexec.exe Token: SeSecurityPrivilege 2232 msiexec.exe Token: SeTakeOwnershipPrivilege 2232 msiexec.exe Token: SeLoadDriverPrivilege 2232 msiexec.exe Token: SeSystemProfilePrivilege 2232 msiexec.exe Token: SeSystemtimePrivilege 2232 msiexec.exe Token: SeProfSingleProcessPrivilege 2232 msiexec.exe Token: SeIncBasePriorityPrivilege 2232 msiexec.exe Token: SeCreatePagefilePrivilege 2232 msiexec.exe Token: SeCreatePermanentPrivilege 2232 msiexec.exe Token: SeBackupPrivilege 2232 msiexec.exe Token: SeRestorePrivilege 2232 msiexec.exe Token: SeShutdownPrivilege 2232 msiexec.exe Token: SeDebugPrivilege 2232 msiexec.exe Token: SeAuditPrivilege 2232 msiexec.exe Token: SeSystemEnvironmentPrivilege 2232 msiexec.exe Token: SeChangeNotifyPrivilege 2232 msiexec.exe Token: SeRemoteShutdownPrivilege 2232 msiexec.exe Token: SeUndockPrivilege 2232 msiexec.exe Token: SeSyncAgentPrivilege 2232 msiexec.exe Token: SeEnableDelegationPrivilege 2232 msiexec.exe Token: SeManageVolumePrivilege 2232 msiexec.exe Token: SeImpersonatePrivilege 2232 msiexec.exe Token: SeCreateGlobalPrivilege 2232 msiexec.exe Token: SeBackupPrivilege 2416 vssvc.exe Token: SeRestorePrivilege 2416 vssvc.exe Token: SeAuditPrivilege 2416 vssvc.exe Token: SeBackupPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeRestorePrivilege 2784 DrvInst.exe Token: SeRestorePrivilege 2784 DrvInst.exe Token: SeRestorePrivilege 2784 DrvInst.exe Token: SeRestorePrivilege 2784 DrvInst.exe Token: SeRestorePrivilege 2784 DrvInst.exe Token: SeRestorePrivilege 2784 DrvInst.exe Token: SeRestorePrivilege 2784 DrvInst.exe Token: SeLoadDriverPrivilege 2784 DrvInst.exe Token: SeLoadDriverPrivilege 2784 DrvInst.exe Token: SeLoadDriverPrivilege 2784 DrvInst.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe Token: SeTakeOwnershipPrivilege 1680 msiexec.exe Token: SeRestorePrivilege 1680 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid Process 2232 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.execmd.exeMsiExec.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1680 wrote to memory of 684 1680 msiexec.exe 35 PID 1680 wrote to memory of 684 1680 msiexec.exe 35 PID 1680 wrote to memory of 684 1680 msiexec.exe 35 PID 1680 wrote to memory of 684 1680 msiexec.exe 35 PID 1680 wrote to memory of 684 1680 msiexec.exe 35 PID 1252 wrote to memory of 780 1252 cmd.exe 37 PID 1252 wrote to memory of 780 1252 cmd.exe 37 PID 1252 wrote to memory of 780 1252 cmd.exe 37 PID 684 wrote to memory of 1900 684 MsiExec.exe 39 PID 684 wrote to memory of 1900 684 MsiExec.exe 39 PID 684 wrote to memory of 1900 684 MsiExec.exe 39 PID 1900 wrote to memory of 1496 1900 cmd.exe 41 PID 1900 wrote to memory of 1496 1900 cmd.exe 41 PID 1900 wrote to memory of 1496 1900 cmd.exe 41 PID 1900 wrote to memory of 1496 1900 cmd.exe 41 PID 1512 wrote to memory of 1172 1512 cmd.exe 43 PID 1512 wrote to memory of 1172 1512 cmd.exe 43 PID 1512 wrote to memory of 1172 1512 cmd.exe 43 PID 2708 wrote to memory of 2904 2708 cmd.exe 46 PID 2708 wrote to memory of 2904 2708 cmd.exe 46 PID 2708 wrote to memory of 2904 2708 cmd.exe 46 PID 1608 wrote to memory of 2116 1608 cmd.exe 49 PID 1608 wrote to memory of 2116 1608 cmd.exe 49 PID 1608 wrote to memory of 2116 1608 cmd.exe 49 PID 2496 wrote to memory of 2488 2496 cmd.exe 52 PID 2496 wrote to memory of 2488 2496 cmd.exe 52 PID 2496 wrote to memory of 2488 2496 cmd.exe 52 PID 1976 wrote to memory of 2372 1976 cmd.exe 55 PID 1976 wrote to memory of 2372 1976 cmd.exe 55 PID 1976 wrote to memory of 2372 1976 cmd.exe 55 PID 2384 wrote to memory of 604 2384 cmd.exe 58 PID 2384 wrote to memory of 604 2384 cmd.exe 58 PID 2384 wrote to memory of 604 2384 cmd.exe 58 PID 1064 wrote to memory of 844 1064 cmd.exe 61 PID 1064 wrote to memory of 844 1064 cmd.exe 61 PID 1064 wrote to memory of 844 1064 cmd.exe 61 PID 1400 wrote to memory of 940 1400 cmd.exe 64 PID 1400 wrote to memory of 940 1400 cmd.exe 64 PID 1400 wrote to memory of 940 1400 cmd.exe 64 PID 2376 wrote to memory of 1328 2376 cmd.exe 67 PID 2376 wrote to memory of 1328 2376 cmd.exe 67 PID 2376 wrote to memory of 1328 2376 cmd.exe 67 PID 1648 wrote to memory of 1704 1648 cmd.exe 70 PID 1648 wrote to memory of 1704 1648 cmd.exe 70 PID 1648 wrote to memory of 1704 1648 cmd.exe 70 PID 576 wrote to memory of 1016 576 cmd.exe 73 PID 576 wrote to memory of 1016 576 cmd.exe 73 PID 576 wrote to memory of 1016 576 cmd.exe 73 PID 1828 wrote to memory of 2244 1828 cmd.exe 76 PID 1828 wrote to memory of 2244 1828 cmd.exe 76 PID 1828 wrote to memory of 2244 1828 cmd.exe 76 PID 2268 wrote to memory of 2184 2268 cmd.exe 79 PID 2268 wrote to memory of 2184 2268 cmd.exe 79 PID 2268 wrote to memory of 2184 2268 cmd.exe 79 PID 2996 wrote to memory of 352 2996 cmd.exe 82 PID 2996 wrote to memory of 352 2996 cmd.exe 82 PID 2996 wrote to memory of 352 2996 cmd.exe 82 PID 1204 wrote to memory of 1216 1204 cmd.exe 85 PID 1204 wrote to memory of 1216 1204 cmd.exe 85 PID 1204 wrote to memory of 1216 1204 cmd.exe 85 PID 2012 wrote to memory of 328 2012 cmd.exe 88 PID 2012 wrote to memory of 328 2012 cmd.exe 88 PID 2012 wrote to memory of 328 2012 cmd.exe 88 PID 1516 wrote to memory of 2896 1516 cmd.exe 91 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nfd49_64.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2232
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 15D74EDB325251712746DFC9D0D9F174 M Global\MSI00002⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\system32\cmd.execmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs3⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Program Files (x86)\Windows NT\7za.exe7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -f -r -t 003⤵PID:1608
-
C:\Windows\system32\shutdown.exeshutdown -f -r -t 004⤵PID:408
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E0" "00000000000003C0"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
C:\Windows\system32\cmd.execmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto1⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\system32\sc.exesc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto2⤵
- Launches sc.exe
PID:780
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1172
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2904
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2116
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2488
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2372
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:604
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:844
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:940
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1328
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1704
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1016
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2244
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2184
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:352
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1216
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:328
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2896
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1596
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2536
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2396
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:1908
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2948
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2080
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2908
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2456
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2744
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2672
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3028
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3024
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2196
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2392
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2432
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2032
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1916
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1484
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1360
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1220
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1752
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:780
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1980
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1920
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1900
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2128
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2852
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1100
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2856
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1608
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2472
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2496
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1976
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2332
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2696
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:652
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2312
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:964
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2004
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:940
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1588
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1748
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1704
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1000
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1444
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:1016
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2328
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2268
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2988
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:3016
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1204
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1500
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1992
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2188
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:896
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2056
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1708
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2536
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2172
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2748
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2080
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2912
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2192
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2640
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2612
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3028
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2388
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2044
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2432
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1732
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1396
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2500
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1736
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2516
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2008
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:780
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1480
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1764
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2128
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1784
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:996
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:608
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2300
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2472
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:112
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1664
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2696
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2928
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1636
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2280
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2504
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1720
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2924
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1748
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1568
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:1824
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1016
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2480
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3012
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2996
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1780
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1204
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2980
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2688
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:896
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1644
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2396
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2716
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1908
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1668
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1292
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2912
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2824
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2568
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3028
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3036
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1592
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1140
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2512
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:1396
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2936
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1228
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1528
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2008
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2024
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1032
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2128
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2596
-
-
C:\Windows\system32\cmd.execmd /c start shutdown -f -r -t 001⤵PID:2116
-
C:\Windows\system32\shutdown.exeshutdown -f -r -t 002⤵PID:2856
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2788
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1748
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.8MB
MD525968242527892b83da16c38e5158cb0
SHA14169621dafe6a4d5e73784ef57ee715386f5038b
SHA256e8f5c31034be6324943433814867cad097d4358e21b3ce46054a1366d8488565
SHA5127710b7eec294333c6588984f9b73cb27cf801b7ea55b4348e18eaf565559ee86713a60f8f21853be96af011864dbc25b6c790d9ebaa82d2496942f059600b411
-
Filesize
577KB
MD5f77c0b61806b6865c888592e178294c3
SHA1e9e0b393cc977fbdbc44fe19d92879a38a4dad0c
SHA256b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82
SHA512b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12
-
Filesize
577KB
MD5fbc6e272e89203cb9ddb3f88b4954deb
SHA1fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d
SHA25699026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6
SHA512b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425
-
Filesize
55KB
MD5591cbc59b64c8592744ae5f8f02daa4b
SHA13d3556785d30ec2095beee1275b708d307e90a3c
SHA2561b0852406450e6c369c8bdd600976fd52e4ed3d6125659ba0845ea537dad2bcb
SHA51299af9f665bc9f2c4751825ce5a2a2da719b6db3e811668ac555f5a2a0f7cf0e6c4e902e250751084f8b7787980cd4efe1af6251f07e6d971717fb705706c3cc9
-
Filesize
55KB
MD52f2bf41e2cae24881b7353510b3b35e8
SHA121babd383c1e89eed4993760e2f64ef8ea39aedd
SHA256826a8a6b44d5ea01cf7d23b0941e8e0591e83c9d246ccd052d6739d736f35133
SHA51296b878fc10c345f4090b410c51d2f6617fbaa7cd9a67c288e4e3c5c49b43a4613c030d10e89baa03d1b780ace4de0e6c7c66dbf6a7e3d92d93a16c4ce1c7845e
-
Filesize
29KB
MD56177495bc3fe9c1c9ddb004cce5e51ac
SHA15b2d16055a93ee4fceedc0f308f3733156f5deb8
SHA2565fbfd09294d7e0fc9a86964c68d646a6a74d590762b75b65ce138ce356ca1b51
SHA5124f725f9a75113a192aba27c96efb3c387559d64be0ee30f26cc74bd0fddc1f57ca1592054dde18fe5dd9516ab017801705b043dfa40ca3d85a6cc5f2ee9105a7
-
Filesize
29KB
MD5c6cd33f25c71000e089e3ba2a18e907a
SHA1853f963fd6edcb07e199c20eac25177f2894c5ba
SHA256161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c
SHA512a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7
-
Filesize
73KB
MD51ed346bcc3cc05a73f8391ffcd7f60cc
SHA13df7906454103d79ab93148e9a3e8f0ed6e9c90d
SHA256e7b4f3562ab8e296701316291a73b0aadd9ba9f5e98c64d97fea35b21a670a21
SHA512e5f57a73744fecdbf2b329f6f24c816b86e883bbc56b9b9b0049271d59c39c7b677a5eea8a846c487f23f5d9c8dcf027e9df548b604cdad98fad221949f49c91
-
Filesize
13.8MB
MD5b847332b6221ef7b0ab9233f47934dc9
SHA16dfe21baadbdfb5b4fd4c97041f333dc879f0faa
SHA2568239c85adbeeff92dfa7ae4d30eda9cea602c9bf13609c5db2250dbc995f9161
SHA5127cb582c5aa8768a2032ae1c16989f8dae4650dd5b17de025277acf373182de076a2f65d44c8e534cb55647ff206a9ed86be370d7417cdaf8a6ee6c19a68922db
-
Filesize
14.4MB
MD528be818ac9500048abe00f46c93def8c
SHA111dd4516325e2d032f07f8a90aa66c035fb48c3c
SHA2566468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0
SHA51255f80e299a0e548586100a6cbd1d5af0741a5d1e19b67648fb2a2fe51c6e43475e9066386711c824750cb4a3331c5c7d5208d5037dcfa1f873f1679738baa12f