033cbe08cefd4b7a6553619355bc44f20de5c233b4f7a44142c7ae7caf96be41

Analysis

max time kernel
30s
max time network
31s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 11:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sdsetup.msi
Size

13.9MB
MD5

90111bdf3173ee59b2b4ebe158b00050
SHA1

77508c78e0a8f23cda0713ca77de15285af66a4e
SHA256

b8bd3eb19eb84bd518e9c5b82d88d6a8743581fcf32f7bacf819c8f0a20e5d11
SHA512

474faa22fc0b0f9a9b9b7c479a3dd86e2c0e7fc2c93bbe650961438f1167b7bee886f31834abe934cb9de6e903be0fed150a63fe58d71001f495ab45f5ca85fa
SSDEEP

393216:d+B+BXTb0RAtdP5OaaBA3DBSdON9gK01jsB:pkRQ5VcAT4dON9g7js

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MsiExec.exe

pid process

2036 MsiExec.exe
2036 MsiExec.exe

pid	process
2036	MsiExec.exe
2036	MsiExec.exe

Drops file in Program Files directory 15 IoCs

Processes:

msiexec.exeMsiExec.exe7za.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\locale3.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale2.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\locale4.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale4.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\INIT.DAT	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\7za.exe	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\tProtect.dll	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale2.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale.bin	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale3.dat	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\tProtect.dll	7za.exe
File created	C:\Program Files (x86)\Windows NT\7za.bin	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\f76fe9b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI198.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76fe9b.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76fe9a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFB3.tmp	msiexec.exe
File created	C:\Windows\Installer\f76fe9d.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76fe9a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

Processes:

7za.exe

pid process

1628 7za.exe

pid	process
1628	7za.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2636	sc.exe
1652	sc.exe
3000	sc.exe
2228	sc.exe
1256	sc.exe
2100	sc.exe
1588	sc.exe
2452	sc.exe
1420	sc.exe
2828	sc.exe
1772	sc.exe
564	sc.exe
2780	sc.exe
1540	sc.exe
2588	sc.exe
2640	sc.exe
752	sc.exe
1424	sc.exe
1616	sc.exe
2964	sc.exe
532	sc.exe
984	sc.exe
2820	sc.exe
1532	sc.exe
2504	sc.exe
2424	sc.exe
1560	sc.exe
1916	sc.exe
920	sc.exe
2648	sc.exe
2436	sc.exe
2452	sc.exe
2552	sc.exe
2280	sc.exe
1624	sc.exe
2912	sc.exe
1536	sc.exe
1824	sc.exe
1432	sc.exe
380	sc.exe
2988	sc.exe
1428	sc.exe
2984	sc.exe
1424	sc.exe
2700	sc.exe
1460	sc.exe
264	sc.exe
2424	sc.exe
2448	sc.exe
2184	sc.exe
2144	sc.exe
2276	sc.exe
1624	sc.exe
1464	sc.exe
2328	sc.exe
2700	sc.exe
2776	sc.exe
2808	sc.exe
2080	sc.exe
772	sc.exe
476	sc.exe
2432	sc.exe
2308	sc.exe
1944	sc.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

2036 MsiExec.exe
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Msiexec
T1218.007

Processes:

msiexec.exe

pid process

2132 msiexec.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

7za.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe

pid	process
2036	MsiExec.exe

pid	process
2132	msiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\ProductName = "Setup"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\PackageName = "sdsetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3FAE135C6428D2F49A15C46EF5682F38	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\Version = "16973828"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\3FAE135C6428D2F49A15C46EF5682F38	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3FAE135C6428D2F49A15C46EF5682F38\ProdFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\PackageCode = "057C27D048C846642BECE75325F4B32F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3FAE135C6428D2F49A15C46EF5682F38\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

7za.exe

pid process

1628 7za.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

msiexec.exeMsiExec.exe

pid process

2084 msiexec.exe
2084 msiexec.exe
2036 MsiExec.exe
2036 MsiExec.exe
2036 MsiExec.exe
2036 MsiExec.exe
2036 MsiExec.exe

pid	process
1628	7za.exe

pid	process
2084	msiexec.exe
2084	msiexec.exe
2036	MsiExec.exe
2036	MsiExec.exe
2036	MsiExec.exe
2036	MsiExec.exe
2036	MsiExec.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	2132	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2132	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeSecurityPrivilege	2084	msiexec.exe
Token: SeCreateTokenPrivilege	2132	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2132	msiexec.exe
Token: SeLockMemoryPrivilege	2132	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2132	msiexec.exe
Token: SeMachineAccountPrivilege	2132	msiexec.exe
Token: SeTcbPrivilege	2132	msiexec.exe
Token: SeSecurityPrivilege	2132	msiexec.exe
Token: SeTakeOwnershipPrivilege	2132	msiexec.exe
Token: SeLoadDriverPrivilege	2132	msiexec.exe
Token: SeSystemProfilePrivilege	2132	msiexec.exe
Token: SeSystemtimePrivilege	2132	msiexec.exe
Token: SeProfSingleProcessPrivilege	2132	msiexec.exe
Token: SeIncBasePriorityPrivilege	2132	msiexec.exe
Token: SeCreatePagefilePrivilege	2132	msiexec.exe
Token: SeCreatePermanentPrivilege	2132	msiexec.exe
Token: SeBackupPrivilege	2132	msiexec.exe
Token: SeRestorePrivilege	2132	msiexec.exe
Token: SeShutdownPrivilege	2132	msiexec.exe
Token: SeDebugPrivilege	2132	msiexec.exe
Token: SeAuditPrivilege	2132	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2132	msiexec.exe
Token: SeChangeNotifyPrivilege	2132	msiexec.exe
Token: SeRemoteShutdownPrivilege	2132	msiexec.exe
Token: SeUndockPrivilege	2132	msiexec.exe
Token: SeSyncAgentPrivilege	2132	msiexec.exe
Token: SeEnableDelegationPrivilege	2132	msiexec.exe
Token: SeManageVolumePrivilege	2132	msiexec.exe
Token: SeImpersonatePrivilege	2132	msiexec.exe
Token: SeCreateGlobalPrivilege	2132	msiexec.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe
Token: SeBackupPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2628	DrvInst.exe
Token: SeRestorePrivilege	2628	DrvInst.exe
Token: SeRestorePrivilege	2628	DrvInst.exe
Token: SeRestorePrivilege	2628	DrvInst.exe
Token: SeRestorePrivilege	2628	DrvInst.exe
Token: SeRestorePrivilege	2628	DrvInst.exe
Token: SeRestorePrivilege	2628	DrvInst.exe
Token: SeLoadDriverPrivilege	2628	DrvInst.exe
Token: SeLoadDriverPrivilege	2628	DrvInst.exe
Token: SeLoadDriverPrivilege	2628	DrvInst.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe
Token: SeTakeOwnershipPrivilege	2084	msiexec.exe
Token: SeRestorePrivilege	2084	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2132 msiexec.exe

pid	process
2132	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.execmd.exeMsiExec.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2084 wrote to memory of 2036	2084	msiexec.exe	MsiExec.exe
PID 2084 wrote to memory of 2036	2084	msiexec.exe	MsiExec.exe
PID 2084 wrote to memory of 2036	2084	msiexec.exe	MsiExec.exe
PID 2084 wrote to memory of 2036	2084	msiexec.exe	MsiExec.exe
PID 2084 wrote to memory of 2036	2084	msiexec.exe	MsiExec.exe
PID 1880 wrote to memory of 1692	1880	cmd.exe	sc.exe
PID 1880 wrote to memory of 1692	1880	cmd.exe	sc.exe
PID 1880 wrote to memory of 1692	1880	cmd.exe	sc.exe
PID 2036 wrote to memory of 1200	2036	MsiExec.exe	cmd.exe
PID 2036 wrote to memory of 1200	2036	MsiExec.exe	cmd.exe
PID 2036 wrote to memory of 1200	2036	MsiExec.exe	cmd.exe
PID 1200 wrote to memory of 1628	1200	cmd.exe	7za.exe
PID 1200 wrote to memory of 1628	1200	cmd.exe	7za.exe
PID 1200 wrote to memory of 1628	1200	cmd.exe	7za.exe
PID 1200 wrote to memory of 1628	1200	cmd.exe	7za.exe
PID 2844 wrote to memory of 2828	2844	cmd.exe	sc.exe
PID 2844 wrote to memory of 2828	2844	cmd.exe	sc.exe
PID 2844 wrote to memory of 2828	2844	cmd.exe	sc.exe
PID 3000 wrote to memory of 2984	3000	cmd.exe	sc.exe
PID 3000 wrote to memory of 2984	3000	cmd.exe	sc.exe
PID 3000 wrote to memory of 2984	3000	cmd.exe	sc.exe
PID 2700 wrote to memory of 2820	2700	cmd.exe	sc.exe
PID 2700 wrote to memory of 2820	2700	cmd.exe	sc.exe
PID 2700 wrote to memory of 2820	2700	cmd.exe	sc.exe
PID 2140 wrote to memory of 2228	2140	cmd.exe	sc.exe
PID 2140 wrote to memory of 2228	2140	cmd.exe	sc.exe
PID 2140 wrote to memory of 2228	2140	cmd.exe	sc.exe
PID 1176 wrote to memory of 2588	1176	cmd.exe	sc.exe
PID 1176 wrote to memory of 2588	1176	cmd.exe	sc.exe
PID 1176 wrote to memory of 2588	1176	cmd.exe	sc.exe
PID 2492 wrote to memory of 1256	2492	cmd.exe	sc.exe
PID 2492 wrote to memory of 1256	2492	cmd.exe	sc.exe
PID 2492 wrote to memory of 1256	2492	cmd.exe	sc.exe
PID 1276 wrote to memory of 1532	1276	cmd.exe	sc.exe
PID 1276 wrote to memory of 1532	1276	cmd.exe	sc.exe
PID 1276 wrote to memory of 1532	1276	cmd.exe	sc.exe
PID 1952 wrote to memory of 2448	1952	cmd.exe	sc.exe
PID 1952 wrote to memory of 2448	1952	cmd.exe	sc.exe
PID 1952 wrote to memory of 2448	1952	cmd.exe	sc.exe
PID 2948 wrote to memory of 1424	2948	cmd.exe	sc.exe
PID 2948 wrote to memory of 1424	2948	cmd.exe	sc.exe
PID 2948 wrote to memory of 1424	2948	cmd.exe	sc.exe
PID 936 wrote to memory of 1464	936	cmd.exe	sc.exe
PID 936 wrote to memory of 1464	936	cmd.exe	sc.exe
PID 936 wrote to memory of 1464	936	cmd.exe	sc.exe
PID 1460 wrote to memory of 2436	1460	cmd.exe	sc.exe
PID 1460 wrote to memory of 2436	1460	cmd.exe	sc.exe
PID 1460 wrote to memory of 2436	1460	cmd.exe	sc.exe
PID 2456 wrote to memory of 1864	2456	cmd.exe	sc.exe
PID 2456 wrote to memory of 1864	2456	cmd.exe	sc.exe
PID 2456 wrote to memory of 1864	2456	cmd.exe	sc.exe
PID 1652 wrote to memory of 1432	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1432	1652	cmd.exe	sc.exe
PID 1652 wrote to memory of 1432	1652	cmd.exe	sc.exe
PID 564 wrote to memory of 2184	564	cmd.exe	sc.exe
PID 564 wrote to memory of 2184	564	cmd.exe	sc.exe
PID 564 wrote to memory of 2184	564	cmd.exe	sc.exe
PID 1012 wrote to memory of 2452	1012	cmd.exe	sc.exe
PID 1012 wrote to memory of 2452	1012	cmd.exe	sc.exe
PID 1012 wrote to memory of 2452	1012	cmd.exe	sc.exe
PID 1684 wrote to memory of 800	1684	cmd.exe	sc.exe
PID 1684 wrote to memory of 800	1684	cmd.exe	sc.exe
PID 1684 wrote to memory of 800	1684	cmd.exe	sc.exe
PID 2348 wrote to memory of 2080	2348	cmd.exe	sc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sdsetup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2132

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 1CDBC1182E5F0E0324AD817196568EFA M Global\MSI0000
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\cmd.exe
    cmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Program Files (x86)\Windows NT\7za.exe
      7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -f -r -t 00
    3⤵
    PID:840
  - - C:\Windows\system32\shutdown.exe
      shutdown -f -r -t 00
      4⤵
      PID:2228

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000598" "0000000000000390"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
  2⤵
  PID:1692

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2828

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2984

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2820

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2228

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2588

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1256

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1532

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2448

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1424

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1464

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2436

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1864

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1432

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2184

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2452

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:800

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2080

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:980
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2552

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3020
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2632
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2780

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2284
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2216

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1304
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2932

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2292
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2100

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2024
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2640

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2128
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2144

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1912
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1624

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1944
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2504

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1116
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:380

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2792
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2988

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1884
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:752

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2804
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2328

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2208
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2700

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2956
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2276

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3040
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:3048

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1656
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1428

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1276
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1772

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1920
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1588

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:920
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1424

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2244
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1680

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2436
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1560

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1844
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:328

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2052
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:564

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1908
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1012

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:316
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:772

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2348
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2512

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:980
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2912

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2996
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2308

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2680
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2780

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2156
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2636

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2932
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:476

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2352
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2020

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2412
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2424

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2144
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1616

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1188
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1944

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1668
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2964

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2792
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1540

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1344
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:532

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2968
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2432

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1244
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2700

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1556
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1392

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3048
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2976

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:596
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1428

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2164
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1916

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1588
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:920

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1464
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1460

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2436
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2280

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2256
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1652

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:580
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:564

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:276
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2452

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:772
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1420

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2512
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:264

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2612
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2776

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2308
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2680

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2216
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2648

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2932
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:984

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1924
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1824

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2040
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2424

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1192
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1624

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1880
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1536

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2964
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2808

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2816
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3000

C:\Windows\system32\cmd.exe
cmd /c start shutdown -f -r -t 00
1⤵
PID:752
- C:\Windows\system32\shutdown.exe
  shutdown -f -r -t 00
  2⤵
  PID:2968

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3044

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76fe9c.rbs

Filesize
13.4MB

MD5
6ac06a26a2468c2efbd55da0ef93de2f

SHA1
d7bb80f906a876d58422f242b22828b356b40302

SHA256
29d1c8db6261e6b82df7bd9fd960bd9947326dc840f3d3a79527fd7bc8233801

SHA512
f22f9552e153d9fe8a1a531e21db1d81dcf4501fae002656a0af404df417010dba8dd5e35e35f8805406e746504695f0f9091b5a7a48347a57150b7ef65f4b7b

Download Submit
C:\Program Files (x86)\Windows NT\7za.bin

Filesize
577KB

MD5
f77c0b61806b6865c888592e178294c3

SHA1
e9e0b393cc977fbdbc44fe19d92879a38a4dad0c

SHA256
b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82

SHA512
b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12

Download Submit
C:\Program Files (x86)\Windows NT\7za.exe

Filesize
577KB

MD5
fbc6e272e89203cb9ddb3f88b4954deb

SHA1
fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d

SHA256
99026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6

SHA512
b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425

Download Submit
C:\Program Files (x86)\Windows NT\locale.bin

Filesize
48KB

MD5
7abe8030a0e18d93028ec0a4f30bf22d

SHA1
78b4ae69d3023c0d796b12645a0a6523d4703d08

SHA256
3bf3dd866b1bdc3669e54b0c96abbe1180635ecb1270c20a46b9fd45771ab7cd

SHA512
be3d35b2837626ca85d54b0e4ce6639809a6a1f28d24a735b87ab6c689603bf2462ee52bea1094dc8ebb0d227e5818ea4bbfd052e2d21a9749aef2b648c5117d

Download Submit
C:\Program Files (x86)\Windows NT\locale2.bin

Filesize
55KB

MD5
2f2bf41e2cae24881b7353510b3b35e8

SHA1
21babd383c1e89eed4993760e2f64ef8ea39aedd

SHA256
826a8a6b44d5ea01cf7d23b0941e8e0591e83c9d246ccd052d6739d736f35133

SHA512
96b878fc10c345f4090b410c51d2f6617fbaa7cd9a67c288e4e3c5c49b43a4613c030d10e89baa03d1b780ace4de0e6c7c66dbf6a7e3d92d93a16c4ce1c7845e

Download Submit
C:\Program Files (x86)\Windows NT\locale3.bin

Filesize
29KB

MD5
6177495bc3fe9c1c9ddb004cce5e51ac

SHA1
5b2d16055a93ee4fceedc0f308f3733156f5deb8

SHA256
5fbfd09294d7e0fc9a86964c68d646a6a74d590762b75b65ce138ce356ca1b51

SHA512
4f725f9a75113a192aba27c96efb3c387559d64be0ee30f26cc74bd0fddc1f57ca1592054dde18fe5dd9516ab017801705b043dfa40ca3d85a6cc5f2ee9105a7

Download Submit
C:\Program Files (x86)\Windows NT\locale3.dat

Filesize
29KB

MD5
c6cd33f25c71000e089e3ba2a18e907a

SHA1
853f963fd6edcb07e199c20eac25177f2894c5ba

SHA256
161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c

SHA512
a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7

Download Submit
C:\Program Files (x86)\Windows NT\locale4.bin

Filesize
73KB

MD5
1ed346bcc3cc05a73f8391ffcd7f60cc

SHA1
3df7906454103d79ab93148e9a3e8f0ed6e9c90d

SHA256
e7b4f3562ab8e296701316291a73b0aadd9ba9f5e98c64d97fea35b21a670a21

SHA512
e5f57a73744fecdbf2b329f6f24c816b86e883bbc56b9b9b0049271d59c39c7b677a5eea8a846c487f23f5d9c8dcf027e9df548b604cdad98fad221949f49c91

Download Submit
C:\Windows\Installer\MSI198.tmp

Filesize
13.4MB

MD5
99d971164757b8f6c8803e09e9844970

SHA1
2b825a0506e00aa5cb0076bea3a6f55fd184ced9

SHA256
2420b386b2b13e29c0e6384f0d025c8e396eb6de8695370260643e0d1ae42f08

SHA512
c927963257da1d301f6f2b39584065b7b9d570230a4cf7d6cd60557b31fe17aec88ff0a10d91dff17cdd6b99bc6b2c68a24b66e1aec3e66088e1f0428c3346be

Download Submit
C:\Windows\Installer\f76fe9a.msi

Filesize
13.9MB

MD5
90111bdf3173ee59b2b4ebe158b00050

SHA1
77508c78e0a8f23cda0713ca77de15285af66a4e

SHA256
b8bd3eb19eb84bd518e9c5b82d88d6a8743581fcf32f7bacf819c8f0a20e5d11

SHA512
474faa22fc0b0f9a9b9b7c479a3dd86e2c0e7fc2c93bbe650961438f1167b7bee886f31834abe934cb9de6e903be0fed150a63fe58d71001f495ab45f5ca85fa

Download Submit
memory/2036-32-0x000007FEF58B0000-0x000007FEF6E97000-memory.dmp

Filesize
21.9MB

Download
memory/2036-27-0x0000000077D80000-0x0000000077D82000-memory.dmp

Filesize
8KB

Download
memory/2036-26-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/2036-24-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/2036-31-0x0000000077D80000-0x0000000077D82000-memory.dmp

Filesize
8KB

Download
memory/2036-22-0x0000000077D70000-0x0000000077D72000-memory.dmp

Filesize
8KB

Download
memory/2036-29-0x0000000077D80000-0x0000000077D82000-memory.dmp

Filesize
8KB

Download

pid	process
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480

pid	process
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480
480