Malware Analysis Report

2024-12-07 16:13

Sample ID 241113-ngsl4azpes
Target nfd49_64.msi.vir
SHA256 6468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0
Tags
discovery execution persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0

Threat Level: Likely malicious

The file nfd49_64.msi.vir was found to be: Likely malicious.

Malicious Activity Summary

discovery execution persistence privilege_escalation

Creates new service(s)

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Executes dropped EXE

Drops file in Program Files directory

Loads dropped DLL

Drops file in Windows directory

System Location Discovery: System Language Discovery

Event Triggered Execution: Installer Packages

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 11:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 11:22

Reported

2024-11-13 11:23

Platform

win7-20240729-en

Max time kernel

26s

Max time network

24s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nfd49_64.msi

Signatures

Creates new service(s)

persistence execution

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\tProtect.dll C:\Program Files (x86)\Windows NT\7za.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\tProtect.dll C:\Program Files (x86)\Windows NT\7za.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Update.png C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale2.dat C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale4.dat C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\INIT.DAT C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\7za.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale3.dat C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\7za.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale2.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale3.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale4.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\Update.png C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale.dat C:\Windows\system32\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76e87c.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE946.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEA13.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76e87b.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76e87e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76e87c.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76e87b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows NT\7za.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\MsiExec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\7za.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49559787D3F0E8C4FB63ECDD0256A25C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Version = "16973832" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\49559787D3F0E8C4FB63ECDD0256A25C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\PackageName = "nfd49_64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\ProductName = "Setup" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\PackageCode = "ABFF0937B01A87E41854A75335A0BDA6" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49559787D3F0E8C4FB63ECDD0256A25C\ProdFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows NT\7za.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 684 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1680 wrote to memory of 684 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1680 wrote to memory of 684 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1680 wrote to memory of 684 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1680 wrote to memory of 684 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1252 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1252 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1252 wrote to memory of 780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 684 wrote to memory of 1900 N/A C:\Windows\system32\MsiExec.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 1900 N/A C:\Windows\system32\MsiExec.exe C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 1900 N/A C:\Windows\system32\MsiExec.exe C:\Windows\system32\cmd.exe
PID 1900 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Windows NT\7za.exe
PID 1900 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Windows NT\7za.exe
PID 1900 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Windows NT\7za.exe
PID 1900 wrote to memory of 1496 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Windows NT\7za.exe
PID 1512 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1512 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1512 wrote to memory of 1172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2708 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2708 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2708 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1608 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1608 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1608 wrote to memory of 2116 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2496 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2496 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2496 wrote to memory of 2488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1976 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1976 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1976 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2384 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2384 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2384 wrote to memory of 604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1064 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1064 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1064 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1400 wrote to memory of 940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2376 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2376 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2376 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1648 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1648 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1648 wrote to memory of 1704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 576 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 576 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 576 wrote to memory of 1016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1828 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1828 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1828 wrote to memory of 2244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2268 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2268 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2268 wrote to memory of 2184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2996 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2996 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2996 wrote to memory of 352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1204 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1204 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1204 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2012 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2012 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2012 wrote to memory of 328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1516 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nfd49_64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E0" "00000000000003C0"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 15D74EDB325251712746DFC9D0D9F174 M Global\MSI0000

C:\Windows\system32\cmd.exe

cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

C:\Windows\system32\sc.exe

sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

C:\Windows\system32\cmd.exe

cmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs

C:\Program Files (x86)\Windows NT\7za.exe

7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start shutdown -f -r -t 00

C:\Windows\system32\shutdown.exe

shutdown -f -r -t 00

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -f -r -t 00

C:\Windows\system32\shutdown.exe

shutdown -f -r -t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

C:\Windows\Installer\MSIEA13.tmp

MD5 b847332b6221ef7b0ab9233f47934dc9
SHA1 6dfe21baadbdfb5b4fd4c97041f333dc879f0faa
SHA256 8239c85adbeeff92dfa7ae4d30eda9cea602c9bf13609c5db2250dbc995f9161
SHA512 7cb582c5aa8768a2032ae1c16989f8dae4650dd5b17de025277acf373182de076a2f65d44c8e534cb55647ff206a9ed86be370d7417cdaf8a6ee6c19a68922db

memory/684-22-0x0000000076F10000-0x0000000076F12000-memory.dmp

memory/684-24-0x0000000076F10000-0x0000000076F12000-memory.dmp

memory/684-26-0x0000000076F10000-0x0000000076F12000-memory.dmp

memory/684-27-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/684-29-0x0000000076F20000-0x0000000076F22000-memory.dmp

memory/684-31-0x0000000076F20000-0x0000000076F22000-memory.dmp

C:\Program Files (x86)\Windows NT\locale.bin

MD5 591cbc59b64c8592744ae5f8f02daa4b
SHA1 3d3556785d30ec2095beee1275b708d307e90a3c
SHA256 1b0852406450e6c369c8bdd600976fd52e4ed3d6125659ba0845ea537dad2bcb
SHA512 99af9f665bc9f2c4751825ce5a2a2da719b6db3e811668ac555f5a2a0f7cf0e6c4e902e250751084f8b7787980cd4efe1af6251f07e6d971717fb705706c3cc9

C:\Program Files (x86)\Windows NT\locale2.bin

MD5 2f2bf41e2cae24881b7353510b3b35e8
SHA1 21babd383c1e89eed4993760e2f64ef8ea39aedd
SHA256 826a8a6b44d5ea01cf7d23b0941e8e0591e83c9d246ccd052d6739d736f35133
SHA512 96b878fc10c345f4090b410c51d2f6617fbaa7cd9a67c288e4e3c5c49b43a4613c030d10e89baa03d1b780ace4de0e6c7c66dbf6a7e3d92d93a16c4ce1c7845e

C:\Program Files (x86)\Windows NT\locale3.bin

MD5 6177495bc3fe9c1c9ddb004cce5e51ac
SHA1 5b2d16055a93ee4fceedc0f308f3733156f5deb8
SHA256 5fbfd09294d7e0fc9a86964c68d646a6a74d590762b75b65ce138ce356ca1b51
SHA512 4f725f9a75113a192aba27c96efb3c387559d64be0ee30f26cc74bd0fddc1f57ca1592054dde18fe5dd9516ab017801705b043dfa40ca3d85a6cc5f2ee9105a7

C:\Program Files (x86)\Windows NT\locale4.bin

MD5 1ed346bcc3cc05a73f8391ffcd7f60cc
SHA1 3df7906454103d79ab93148e9a3e8f0ed6e9c90d
SHA256 e7b4f3562ab8e296701316291a73b0aadd9ba9f5e98c64d97fea35b21a670a21
SHA512 e5f57a73744fecdbf2b329f6f24c816b86e883bbc56b9b9b0049271d59c39c7b677a5eea8a846c487f23f5d9c8dcf027e9df548b604cdad98fad221949f49c91

C:\Program Files (x86)\Windows NT\7za.bin

MD5 f77c0b61806b6865c888592e178294c3
SHA1 e9e0b393cc977fbdbc44fe19d92879a38a4dad0c
SHA256 b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82
SHA512 b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12

C:\Program Files (x86)\Windows NT\7za.exe

MD5 fbc6e272e89203cb9ddb3f88b4954deb
SHA1 fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d
SHA256 99026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6
SHA512 b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425

C:\Program Files (x86)\Windows NT\locale3.dat

MD5 c6cd33f25c71000e089e3ba2a18e907a
SHA1 853f963fd6edcb07e199c20eac25177f2894c5ba
SHA256 161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c
SHA512 a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7

C:\Config.Msi\f76e87d.rbs

MD5 25968242527892b83da16c38e5158cb0
SHA1 4169621dafe6a4d5e73784ef57ee715386f5038b
SHA256 e8f5c31034be6324943433814867cad097d4358e21b3ce46054a1366d8488565
SHA512 7710b7eec294333c6588984f9b73cb27cf801b7ea55b4348e18eaf565559ee86713a60f8f21853be96af011864dbc25b6c790d9ebaa82d2496942f059600b411

C:\Windows\Installer\f76e87b.msi

MD5 28be818ac9500048abe00f46c93def8c
SHA1 11dd4516325e2d032f07f8a90aa66c035fb48c3c
SHA256 6468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0
SHA512 55f80e299a0e548586100a6cbd1d5af0741a5d1e19b67648fb2a2fe51c6e43475e9066386711c824750cb4a3331c5c7d5208d5037dcfa1f873f1679738baa12f

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 11:22

Reported

2024-11-13 11:23

Platform

win10v2004-20241007-en

Max time kernel

33s

Max time network

35s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nfd49_64.msi

Signatures

Creates new service(s)

persistence execution

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Update.png C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Update.png C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale2.dat C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale3.dat C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\7za.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale4.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale4.dat C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\7za.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale2.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale3.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\tProtect.dll C:\Program Files (x86)\Windows NT\7za.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\tProtect.dll C:\Program Files (x86)\Windows NT\7za.exe N/A
File created C:\Program Files (x86)\Windows NT\locale.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Windows NT\locale.dat C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files (x86)\Windows NT\INIT.DAT C:\Windows\System32\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57e11b.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57e119.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57e119.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{78795594-0F3D-4C8E-BF36-CEDD20652AC5} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE213.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE39A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows NT\7za.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows NT\7za.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Magisk C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Magisk\ring3_username = "Admin" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Version = "16973832" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49559787D3F0E8C4FB63ECDD0256A25C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49559787D3F0E8C4FB63ECDD0256A25C\ProdFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\ProductName = "Setup" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\PackageCode = "ABFF0937B01A87E41854A75335A0BDA6" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\49559787D3F0E8C4FB63ECDD0256A25C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\PackageName = "nfd49_64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49559787D3F0E8C4FB63ECDD0256A25C\SourceList\Media C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3672 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3672 wrote to memory of 1944 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3672 wrote to memory of 1568 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3672 wrote to memory of 1568 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4376 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4376 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1568 wrote to memory of 1460 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1568 wrote to memory of 1460 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1460 wrote to memory of 3548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1460 wrote to memory of 3548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 1460 wrote to memory of 3548 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\sc.exe
PID 4572 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4572 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1324 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1324 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3692 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3692 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4856 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4856 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 5040 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 5040 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3740 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 3740 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2696 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 2696 wrote to memory of 1572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5032 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 5032 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4496 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4496 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4828 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4828 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4804 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4804 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3112 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3112 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3996 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3996 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 632 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 632 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2488 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2488 wrote to memory of 4444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4340 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4340 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3032 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3032 wrote to memory of 3340 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2384 wrote to memory of 624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 2384 wrote to memory of 624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3300 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 3300 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4084 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4084 wrote to memory of 2840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1712 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 1712 wrote to memory of 2828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4376 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4376 wrote to memory of 4424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4324 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4324 wrote to memory of 4636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4604 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4604 wrote to memory of 3212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4572 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4572 wrote to memory of 3548 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe
PID 4852 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4852 wrote to memory of 2620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1120 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\sc.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\nfd49_64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 06AD235FB4EDD0A72A3A429BE96CD6C8 E Global\MSI0000

C:\Windows\system32\cmd.exe

cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

C:\Windows\system32\sc.exe

sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

C:\Windows\System32\cmd.exe

cmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs

C:\Program Files (x86)\Windows NT\7za.exe

7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start sc start CleverSoar

C:\Windows\system32\sc.exe

sc start CleverSoar

C:\Windows\system32\cmd.exe

cmd /c start shutdown -f -r -t 00

C:\Windows\system32\shutdown.exe

shutdown -f -r -t 00

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c shutdown -f -r -t 00

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3851055 /state1:0x41c64e6d

C:\Windows\system32\shutdown.exe

shutdown -f -r -t 00

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 167.205.23.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Windows\Installer\MSIE39A.tmp

MD5 b847332b6221ef7b0ab9233f47934dc9
SHA1 6dfe21baadbdfb5b4fd4c97041f333dc879f0faa
SHA256 8239c85adbeeff92dfa7ae4d30eda9cea602c9bf13609c5db2250dbc995f9161
SHA512 7cb582c5aa8768a2032ae1c16989f8dae4650dd5b17de025277acf373182de076a2f65d44c8e534cb55647ff206a9ed86be370d7417cdaf8a6ee6c19a68922db

memory/1568-24-0x00007FFF05160000-0x00007FFF05162000-memory.dmp

memory/1568-23-0x00007FFF05150000-0x00007FFF05152000-memory.dmp

C:\Program Files (x86)\Windows NT\locale.bin

MD5 591cbc59b64c8592744ae5f8f02daa4b
SHA1 3d3556785d30ec2095beee1275b708d307e90a3c
SHA256 1b0852406450e6c369c8bdd600976fd52e4ed3d6125659ba0845ea537dad2bcb
SHA512 99af9f665bc9f2c4751825ce5a2a2da719b6db3e811668ac555f5a2a0f7cf0e6c4e902e250751084f8b7787980cd4efe1af6251f07e6d971717fb705706c3cc9

C:\Program Files (x86)\Windows NT\locale4.bin

MD5 1ed346bcc3cc05a73f8391ffcd7f60cc
SHA1 3df7906454103d79ab93148e9a3e8f0ed6e9c90d
SHA256 e7b4f3562ab8e296701316291a73b0aadd9ba9f5e98c64d97fea35b21a670a21
SHA512 e5f57a73744fecdbf2b329f6f24c816b86e883bbc56b9b9b0049271d59c39c7b677a5eea8a846c487f23f5d9c8dcf027e9df548b604cdad98fad221949f49c91

C:\Program Files (x86)\Windows NT\7za.bin

MD5 f77c0b61806b6865c888592e178294c3
SHA1 e9e0b393cc977fbdbc44fe19d92879a38a4dad0c
SHA256 b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82
SHA512 b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12

C:\Program Files (x86)\Windows NT\locale3.bin

MD5 6177495bc3fe9c1c9ddb004cce5e51ac
SHA1 5b2d16055a93ee4fceedc0f308f3733156f5deb8
SHA256 5fbfd09294d7e0fc9a86964c68d646a6a74d590762b75b65ce138ce356ca1b51
SHA512 4f725f9a75113a192aba27c96efb3c387559d64be0ee30f26cc74bd0fddc1f57ca1592054dde18fe5dd9516ab017801705b043dfa40ca3d85a6cc5f2ee9105a7

C:\Program Files (x86)\Windows NT\locale2.bin

MD5 2f2bf41e2cae24881b7353510b3b35e8
SHA1 21babd383c1e89eed4993760e2f64ef8ea39aedd
SHA256 826a8a6b44d5ea01cf7d23b0941e8e0591e83c9d246ccd052d6739d736f35133
SHA512 96b878fc10c345f4090b410c51d2f6617fbaa7cd9a67c288e4e3c5c49b43a4613c030d10e89baa03d1b780ace4de0e6c7c66dbf6a7e3d92d93a16c4ce1c7845e

C:\Program Files (x86)\Windows NT\7za.exe

MD5 fbc6e272e89203cb9ddb3f88b4954deb
SHA1 fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d
SHA256 99026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6
SHA512 b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425

C:\Program Files (x86)\Windows NT\locale3.dat

MD5 c6cd33f25c71000e089e3ba2a18e907a
SHA1 853f963fd6edcb07e199c20eac25177f2894c5ba
SHA256 161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c
SHA512 a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7

\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c347842-f6b1-496b-ae2f-63b878de5cb0}_OnDiskSnapshotProp

MD5 c9380c27dacd7f0865eeea49f0c9ea69
SHA1 3191a956962c61972dbc8fad71c3da07ecc9477f
SHA256 27a5e46373e5d23500433b92282d777dd0c8ef861394c3fa0f0c04d0f9a1569c
SHA512 389c096d5572aafaa1d7371e6bd1a692b27e6c0e1a3d374764bbe55c1711e92b50dab26c8a61fdec6d20bd76d8a9a3326e5129961c24b51544fc1d1290d3bffc

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 225e2fffb4c188fe887964a956af587d
SHA1 87afc5fbeea7ef25ec775ec241925e586b8718e0
SHA256 47c87f65597b3d2aad6dd734890753a6831fdbaf47c2026d47b15caa89ed4d66
SHA512 e91412e7b9334a6b676b0fe8d60cbb4e25c03580fb32cecce00e5316725b08f9711192f3b20a800422380574d29d61bff1fbebdc46c8732b3d4ec470f0764b5c

C:\Config.Msi\e57e11a.rbs

MD5 5af662c7d1c31e07e7d8b2900c17b09f
SHA1 72dd7ae0183e46fda6eb5d5d0df49145f28c887a
SHA256 7dfb961cadd4f8d1a54c9c6b5fc00b404e7f7e4cf92a426d02e98193b336af2b
SHA512 d809ef03d83f088e5e48085ba5d74be8d16acb133bbf188df1d411a7b4bf21daf9b6b0df2961d2e62d1d21de9988cf1568842b0744b4c78d5ed63ac5693b7d6d

C:\Windows\Installer\e57e119.msi

MD5 28be818ac9500048abe00f46c93def8c
SHA1 11dd4516325e2d032f07f8a90aa66c035fb48c3c
SHA256 6468178241c7f17fce1237634265d9aed547976c891d517e4fcac37421ca03f0
SHA512 55f80e299a0e548586100a6cbd1d5af0741a5d1e19b67648fb2a2fe51c6e43475e9066386711c824750cb4a3331c5c7d5208d5037dcfa1f873f1679738baa12f