Analysis
-
max time kernel
33s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 11:22
Static task
static1
Behavioral task
behavioral1
Sample
nfd49_64.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
nfd49_64.msi
Resource
win10v2004-20241007-en
Errors
General
-
Target
nfd49_64.msi
-
Size
14.4MB
-
MD5
28be818ac9500048abe00f46c93def8c
-
SHA1
11dd4516325e2d032f07f8a90aa66c035fb48c3c
-
SHA256
6468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0
-
SHA512
55f80e299a0e548586100a6cbd1d5af0741a5d1e19b67648fb2a2fe51c6e43475e9066386711c824750cb4a3331c5c7d5208d5037dcfa1f873f1679738baa12f
-
SSDEEP
393216:+/j2n3TlfPqX5sL1AAaB1/s7qUYCGMkqT2LY:T3TBoyQ+aA6
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
MsiExec.exepid Process 1568 MsiExec.exe 1568 MsiExec.exe -
Drops file in Program Files directory 15 IoCs
Processes:
MsiExec.exemsiexec.exe7za.exedescription ioc Process File created C:\Program Files (x86)\Windows NT\Update.png MsiExec.exe File opened for modification C:\Program Files (x86)\Windows NT\Update.png MsiExec.exe File created C:\Program Files (x86)\Windows NT\locale2.dat MsiExec.exe File created C:\Program Files (x86)\Windows NT\locale3.dat MsiExec.exe File created C:\Program Files (x86)\Windows NT\7za.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\locale4.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\locale4.dat MsiExec.exe File created C:\Program Files (x86)\Windows NT\7za.exe MsiExec.exe File created C:\Program Files (x86)\Windows NT\locale2.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\locale3.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\tProtect.dll 7za.exe File opened for modification C:\Program Files (x86)\Windows NT\tProtect.dll 7za.exe File created C:\Program Files (x86)\Windows NT\locale.bin msiexec.exe File created C:\Program Files (x86)\Windows NT\locale.dat MsiExec.exe File created C:\Program Files (x86)\Windows NT\INIT.DAT MsiExec.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e57e11b.msi msiexec.exe File created C:\Windows\Installer\e57e119.msi msiexec.exe File opened for modification C:\Windows\Installer\e57e119.msi msiexec.exe File created C:\Windows\Installer\SourceHash{78795594-0F3D-4C8E-BF36-CEDD20652AC5} msiexec.exe File opened for modification C:\Windows\Installer\MSIE213.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE39A.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 1 IoCs
Processes:
7za.exepid Process 3548 7za.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid Process 404 sc.exe 3212 sc.exe 1516 sc.exe 2800 sc.exe 2052 sc.exe 1556 sc.exe 2696 sc.exe 2680 sc.exe 2820 sc.exe 1600 sc.exe 4344 sc.exe 4424 sc.exe 3548 sc.exe 3032 sc.exe 4656 sc.exe 4656 sc.exe 2032 sc.exe 632 sc.exe 3032 sc.exe 548 sc.exe 3996 sc.exe 2268 sc.exe 624 sc.exe 1120 sc.exe 2056 sc.exe 2724 sc.exe 2972 sc.exe 3144 sc.exe 2596 sc.exe 4572 sc.exe 4524 sc.exe 2140 sc.exe 1768 sc.exe 652 sc.exe 664 sc.exe 208 sc.exe 1496 sc.exe 3224 sc.exe 3112 sc.exe 2140 sc.exe 2488 sc.exe 2556 sc.exe 2512 sc.exe 2828 sc.exe 4636 sc.exe 3596 sc.exe 624 sc.exe 2740 sc.exe 3340 sc.exe 3956 sc.exe 4504 sc.exe 3440 sc.exe 4720 sc.exe 1176 sc.exe 4444 sc.exe 1144 sc.exe 3340 sc.exe 1200 sc.exe 2620 sc.exe 632 sc.exe 2384 sc.exe 1348 sc.exe 4432 sc.exe 5020 sc.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid Process 1568 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7za.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies data under HKEY_USERS 20 IoCs
Processes:
msiexec.exeLogonUI.exeMsiExec.exedescription ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Magisk MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Magisk\ring3_username = "Admin" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe -
Modifies registry class 22 IoCs
Processes:
msiexec.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Version = "16973832" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49559787D3F0E8C4FB63ECDD0256A25C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49559787D3F0E8C4FB63ECDD0256A25C\ProdFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\ProductName = "Setup" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\PackageCode = "ABFF0937B01A87E41854A75335A0BDA6" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\49559787D3F0E8C4FB63ECDD0256A25C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\PackageName = "nfd49_64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Media msiexec.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msiexec.exeMsiExec.exepid Process 3672 msiexec.exe 3672 msiexec.exe 1568 MsiExec.exe 1568 MsiExec.exe 1568 MsiExec.exe 1568 MsiExec.exe 1568 MsiExec.exe 1568 MsiExec.exe 1568 MsiExec.exe 1568 MsiExec.exe 1568 MsiExec.exe 1568 MsiExec.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid Process 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 668 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid Process Token: SeShutdownPrivilege 636 msiexec.exe Token: SeIncreaseQuotaPrivilege 636 msiexec.exe Token: SeSecurityPrivilege 3672 msiexec.exe Token: SeCreateTokenPrivilege 636 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 636 msiexec.exe Token: SeLockMemoryPrivilege 636 msiexec.exe Token: SeIncreaseQuotaPrivilege 636 msiexec.exe Token: SeMachineAccountPrivilege 636 msiexec.exe Token: SeTcbPrivilege 636 msiexec.exe Token: SeSecurityPrivilege 636 msiexec.exe Token: SeTakeOwnershipPrivilege 636 msiexec.exe Token: SeLoadDriverPrivilege 636 msiexec.exe Token: SeSystemProfilePrivilege 636 msiexec.exe Token: SeSystemtimePrivilege 636 msiexec.exe Token: SeProfSingleProcessPrivilege 636 msiexec.exe Token: SeIncBasePriorityPrivilege 636 msiexec.exe Token: SeCreatePagefilePrivilege 636 msiexec.exe Token: SeCreatePermanentPrivilege 636 msiexec.exe Token: SeBackupPrivilege 636 msiexec.exe Token: SeRestorePrivilege 636 msiexec.exe Token: SeShutdownPrivilege 636 msiexec.exe Token: SeDebugPrivilege 636 msiexec.exe Token: SeAuditPrivilege 636 msiexec.exe Token: SeSystemEnvironmentPrivilege 636 msiexec.exe Token: SeChangeNotifyPrivilege 636 msiexec.exe Token: SeRemoteShutdownPrivilege 636 msiexec.exe Token: SeUndockPrivilege 636 msiexec.exe Token: SeSyncAgentPrivilege 636 msiexec.exe Token: SeEnableDelegationPrivilege 636 msiexec.exe Token: SeManageVolumePrivilege 636 msiexec.exe Token: SeImpersonatePrivilege 636 msiexec.exe Token: SeCreateGlobalPrivilege 636 msiexec.exe Token: SeBackupPrivilege 3372 vssvc.exe Token: SeRestorePrivilege 3372 vssvc.exe Token: SeAuditPrivilege 3372 vssvc.exe Token: SeBackupPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe Token: SeTakeOwnershipPrivilege 3672 msiexec.exe Token: SeRestorePrivilege 3672 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid Process 636 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid Process 4000 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.execmd.exeMsiExec.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 3672 wrote to memory of 1944 3672 msiexec.exe 103 PID 3672 wrote to memory of 1944 3672 msiexec.exe 103 PID 3672 wrote to memory of 1568 3672 msiexec.exe 105 PID 3672 wrote to memory of 1568 3672 msiexec.exe 105 PID 4376 wrote to memory of 4432 4376 cmd.exe 107 PID 4376 wrote to memory of 4432 4376 cmd.exe 107 PID 1568 wrote to memory of 1460 1568 MsiExec.exe 109 PID 1568 wrote to memory of 1460 1568 MsiExec.exe 109 PID 1460 wrote to memory of 3548 1460 cmd.exe 185 PID 1460 wrote to memory of 3548 1460 cmd.exe 185 PID 1460 wrote to memory of 3548 1460 cmd.exe 185 PID 4572 wrote to memory of 2680 4572 cmd.exe 113 PID 4572 wrote to memory of 2680 4572 cmd.exe 113 PID 1324 wrote to memory of 2820 1324 cmd.exe 116 PID 1324 wrote to memory of 2820 1324 cmd.exe 116 PID 3692 wrote to memory of 2556 3692 cmd.exe 119 PID 3692 wrote to memory of 2556 3692 cmd.exe 119 PID 4856 wrote to memory of 208 4856 cmd.exe 122 PID 4856 wrote to memory of 208 4856 cmd.exe 122 PID 5040 wrote to memory of 1600 5040 cmd.exe 125 PID 5040 wrote to memory of 1600 5040 cmd.exe 125 PID 3740 wrote to memory of 1176 3740 cmd.exe 198 PID 3740 wrote to memory of 1176 3740 cmd.exe 198 PID 2696 wrote to memory of 1572 2696 cmd.exe 168 PID 2696 wrote to memory of 1572 2696 cmd.exe 168 PID 5032 wrote to memory of 2596 5032 cmd.exe 171 PID 5032 wrote to memory of 2596 5032 cmd.exe 171 PID 4496 wrote to memory of 2800 4496 cmd.exe 206 PID 4496 wrote to memory of 2800 4496 cmd.exe 206 PID 4828 wrote to memory of 4424 4828 cmd.exe 176 PID 4828 wrote to memory of 4424 4828 cmd.exe 176 PID 4804 wrote to memory of 4344 4804 cmd.exe 143 PID 4804 wrote to memory of 4344 4804 cmd.exe 143 PID 3112 wrote to memory of 404 3112 cmd.exe 146 PID 3112 wrote to memory of 404 3112 cmd.exe 146 PID 3996 wrote to memory of 4572 3996 cmd.exe 184 PID 3996 wrote to memory of 4572 3996 cmd.exe 184 PID 632 wrote to memory of 2740 632 cmd.exe 152 PID 632 wrote to memory of 2740 632 cmd.exe 152 PID 2488 wrote to memory of 4444 2488 cmd.exe 155 PID 2488 wrote to memory of 4444 2488 cmd.exe 155 PID 4340 wrote to memory of 4856 4340 cmd.exe 158 PID 4340 wrote to memory of 4856 4340 cmd.exe 158 PID 3032 wrote to memory of 3340 3032 cmd.exe 161 PID 3032 wrote to memory of 3340 3032 cmd.exe 161 PID 2384 wrote to memory of 624 2384 cmd.exe 164 PID 2384 wrote to memory of 624 2384 cmd.exe 164 PID 3300 wrote to memory of 2512 3300 cmd.exe 167 PID 3300 wrote to memory of 2512 3300 cmd.exe 167 PID 4084 wrote to memory of 2840 4084 cmd.exe 170 PID 4084 wrote to memory of 2840 4084 cmd.exe 170 PID 1712 wrote to memory of 2828 1712 cmd.exe 173 PID 1712 wrote to memory of 2828 1712 cmd.exe 173 PID 4376 wrote to memory of 4424 4376 cmd.exe 176 PID 4376 wrote to memory of 4424 4376 cmd.exe 176 PID 4324 wrote to memory of 4636 4324 cmd.exe 179 PID 4324 wrote to memory of 4636 4324 cmd.exe 179 PID 4604 wrote to memory of 3212 4604 cmd.exe 182 PID 4604 wrote to memory of 3212 4604 cmd.exe 182 PID 4572 wrote to memory of 3548 4572 cmd.exe 185 PID 4572 wrote to memory of 3548 4572 cmd.exe 185 PID 4852 wrote to memory of 2620 4852 cmd.exe 220 PID 4852 wrote to memory of 2620 4852 cmd.exe 220 PID 1476 wrote to memory of 1120 1476 cmd.exe 191 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nfd49_64.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:636
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1944
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 06AD235FB4EDD0A72A3A429BE96CD6C8 E Global\MSI00002⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\System32\cmd.execmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs3⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Program Files (x86)\Windows NT\7za.exe7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -f -r -t 003⤵PID:2292
-
C:\Windows\system32\shutdown.exeshutdown -f -r -t 004⤵PID:4940
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
C:\Windows\system32\cmd.execmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\system32\sc.exesc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto2⤵
- Launches sc.exe
PID:4432
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2680
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2820
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2556
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:208
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1600
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1176
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:1572
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2596
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2800
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:4424
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4344
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:404
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4572
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2740
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4444
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:4856
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3340
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:624
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2512 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1572
-
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2840
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2596
-
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2828
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4424
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4636
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3212
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3548
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2620
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1120
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3540
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3032
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1348
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1516 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1176
-
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2248
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2056
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2032
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:4716
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2600
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2800
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4808
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1144
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2972
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4524
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4744
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2724
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2740
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:632
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2620
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3956
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3404
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:652
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3340
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2384
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3292
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2052
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4084
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1496
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2840
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4228
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3224
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4324
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3112
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:5012
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4656
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4572
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:3548
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2488
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:5020
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4584
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:3404
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4600
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3340
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1516
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4504
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1904
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2680
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3392
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4008
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:5072
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2340
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2972
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1200
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4656
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4720
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:632
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4128
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3596
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2292
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3032
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1988
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:3292
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3912
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:548
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1712
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2828
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4808
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:664
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1120
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3144
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1012
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3440
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4444
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2488
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4128
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2068
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3616
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:624
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4084
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1556
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4792
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2032
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2828
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:2600
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:664
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:3996
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1200
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:4744
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:3548
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:4656
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1476
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1768
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2832
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1348
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2512
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2696
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1904
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:4376
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:2596
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:2268
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:1144
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵PID:4344
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4604
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:1200
-
-
C:\Windows\system32\cmd.execmd /c start sc start CleverSoar1⤵PID:4660
-
C:\Windows\system32\sc.exesc start CleverSoar2⤵
- Launches sc.exe
PID:4720
-
-
C:\Windows\system32\cmd.execmd /c start shutdown -f -r -t 001⤵PID:4340
-
C:\Windows\system32\shutdown.exeshutdown -f -r -t 002⤵PID:2724
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3851055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4000
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13.8MB
MD55af662c7d1c31e07e7d8b2900c17b09f
SHA172dd7ae0183e46fda6eb5d5d0df49145f28c887a
SHA2567dfb961cadd4f8d1a54c9c6b5fc00b404e7f7e4cf92a426d02e98193b336af2b
SHA512d809ef03d83f088e5e48085ba5d74be8d16acb133bbf188df1d411a7b4bf21daf9b6b0df2961d2e62d1d21de9988cf1568842b0744b4c78d5ed63ac5693b7d6d
-
Filesize
577KB
MD5f77c0b61806b6865c888592e178294c3
SHA1e9e0b393cc977fbdbc44fe19d92879a38a4dad0c
SHA256b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82
SHA512b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12
-
Filesize
577KB
MD5fbc6e272e89203cb9ddb3f88b4954deb
SHA1fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d
SHA25699026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6
SHA512b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425
-
Filesize
55KB
MD5591cbc59b64c8592744ae5f8f02daa4b
SHA13d3556785d30ec2095beee1275b708d307e90a3c
SHA2561b0852406450e6c369c8bdd600976fd52e4ed3d6125659ba0845ea537dad2bcb
SHA51299af9f665bc9f2c4751825ce5a2a2da719b6db3e811668ac555f5a2a0f7cf0e6c4e902e250751084f8b7787980cd4efe1af6251f07e6d971717fb705706c3cc9
-
Filesize
55KB
MD52f2bf41e2cae24881b7353510b3b35e8
SHA121babd383c1e89eed4993760e2f64ef8ea39aedd
SHA256826a8a6b44d5ea01cf7d23b0941e8e0591e83c9d246ccd052d6739d736f35133
SHA51296b878fc10c345f4090b410c51d2f6617fbaa7cd9a67c288e4e3c5c49b43a4613c030d10e89baa03d1b780ace4de0e6c7c66dbf6a7e3d92d93a16c4ce1c7845e
-
Filesize
29KB
MD56177495bc3fe9c1c9ddb004cce5e51ac
SHA15b2d16055a93ee4fceedc0f308f3733156f5deb8
SHA2565fbfd09294d7e0fc9a86964c68d646a6a74d590762b75b65ce138ce356ca1b51
SHA5124f725f9a75113a192aba27c96efb3c387559d64be0ee30f26cc74bd0fddc1f57ca1592054dde18fe5dd9516ab017801705b043dfa40ca3d85a6cc5f2ee9105a7
-
Filesize
29KB
MD5c6cd33f25c71000e089e3ba2a18e907a
SHA1853f963fd6edcb07e199c20eac25177f2894c5ba
SHA256161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c
SHA512a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7
-
Filesize
73KB
MD51ed346bcc3cc05a73f8391ffcd7f60cc
SHA13df7906454103d79ab93148e9a3e8f0ed6e9c90d
SHA256e7b4f3562ab8e296701316291a73b0aadd9ba9f5e98c64d97fea35b21a670a21
SHA512e5f57a73744fecdbf2b329f6f24c816b86e883bbc56b9b9b0049271d59c39c7b677a5eea8a846c487f23f5d9c8dcf027e9df548b604cdad98fad221949f49c91
-
Filesize
13.8MB
MD5b847332b6221ef7b0ab9233f47934dc9
SHA16dfe21baadbdfb5b4fd4c97041f333dc879f0faa
SHA2568239c85adbeeff92dfa7ae4d30eda9cea602c9bf13609c5db2250dbc995f9161
SHA5127cb582c5aa8768a2032ae1c16989f8dae4650dd5b17de025277acf373182de076a2f65d44c8e534cb55647ff206a9ed86be370d7417cdaf8a6ee6c19a68922db
-
Filesize
14.4MB
MD528be818ac9500048abe00f46c93def8c
SHA111dd4516325e2d032f07f8a90aa66c035fb48c3c
SHA2566468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0
SHA51255f80e299a0e548586100a6cbd1d5af0741a5d1e19b67648fb2a2fe51c6e43475e9066386711c824750cb4a3331c5c7d5208d5037dcfa1f873f1679738baa12f
-
Filesize
24.1MB
MD5225e2fffb4c188fe887964a956af587d
SHA187afc5fbeea7ef25ec775ec241925e586b8718e0
SHA25647c87f65597b3d2aad6dd734890753a6831fdbaf47c2026d47b15caa89ed4d66
SHA512e91412e7b9334a6b676b0fe8d60cbb4e25c03580fb32cecce00e5316725b08f9711192f3b20a800422380574d29d61bff1fbebdc46c8732b3d4ec470f0764b5c
-
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c347842-f6b1-496b-ae2f-63b878de5cb0}_OnDiskSnapshotProp
Filesize6KB
MD5c9380c27dacd7f0865eeea49f0c9ea69
SHA13191a956962c61972dbc8fad71c3da07ecc9477f
SHA25627a5e46373e5d23500433b92282d777dd0c8ef861394c3fa0f0c04d0f9a1569c
SHA512389c096d5572aafaa1d7371e6bd1a692b27e6c0e1a3d374764bbe55c1711e92b50dab26c8a61fdec6d20bd76d8a9a3326e5129961c24b51544fc1d1290d3bffc