55bcd5d30a281d4df8ab11da0b6bc8773ee09b9da0537f826ae9bfa06d91b441

Analysis

max time kernel
37s
max time network
36s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 12:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Installer (3).msi
Size

12.4MB
MD5

0b6f567d2d08cf51fab3a4c156973ec5
SHA1

3693e4e6eb7ac5fad966c77eb4b38cd2cc4c9a20
SHA256

55bcd5d30a281d4df8ab11da0b6bc8773ee09b9da0537f826ae9bfa06d91b441
SHA512

d9fda950dcb9811e0e3c1d5542933754286fb5335e4062ab49622aba86636ab771f02c6d0d9c46942f2dc9c6d0c86bc3057d862fbd35483fd7e60a635a8048b0
SSDEEP

196608:E34AwVjpluzSl00psVS1HmLPFKwurgtJfG/u8WA/5w8jKcxRi5ilN6QCfjhKb0:RAwVjpD6S2/uoJfe1RwSLTNT

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

MsiExec.exe

pid process

1188 MsiExec.exe
1188 MsiExec.exe

pid	process
1188	MsiExec.exe
1188	MsiExec.exe

Drops file in Program Files directory 21 IoCs

Processes:

MsiExec.exe7za.exe7za.exemsiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\7za.exe	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\locale3.bin	7za.exe
File opened for modification	C:\Program Files (x86)\Windows NT\locale4.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale4.dat	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\tProtect.dll	7za.exe
File created	C:\Program Files (x86)\Windows NT\data.dat	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\locale.bin	7za.exe
File opened for modification	C:\Program Files (x86)\Windows NT\locale2.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale3.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale4.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale3.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\tProtect.dll	7za.exe
File created	C:\Program Files (x86)\Windows NT\7za.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\data.bin	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\INIT.DAT	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale2.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale2.dat	MsiExec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIF0F6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76eef2.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76eef1.msi	msiexec.exe
File created	C:\Windows\Installer\f76eef2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF00A.tmp	msiexec.exe
File created	C:\Windows\Installer\f76eef4.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76eef1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

7za.exe7za.exe

pid process

2012 7za.exe
2400 7za.exe

pid	process
2012	7za.exe
2400	7za.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
272	sc.exe
1540	sc.exe
2452	sc.exe
824	sc.exe
1364	sc.exe
864	sc.exe
560	sc.exe
2980	sc.exe
236	sc.exe
996	sc.exe
2480	sc.exe
2956	sc.exe
748	sc.exe
2568	sc.exe
1920	sc.exe
2980	sc.exe
3012	sc.exe
2284	sc.exe
1960	sc.exe
2676	sc.exe
2064	sc.exe
2604	sc.exe
1860	sc.exe
2596	sc.exe
1996	sc.exe
2676	sc.exe
2660	sc.exe
1560	sc.exe
2060	sc.exe
2100	sc.exe
1184	sc.exe
2696	sc.exe
2140	sc.exe
660	sc.exe
1088	sc.exe
2236	sc.exe
1788	sc.exe
2816	sc.exe
720	sc.exe
1516	sc.exe
2268	sc.exe
1568	sc.exe
980	sc.exe
2216	sc.exe
1780	sc.exe
2340	sc.exe
1780	sc.exe
2280	sc.exe
2476	sc.exe
2680	sc.exe
2060	sc.exe
876	sc.exe
2120	sc.exe
672	sc.exe
1180	sc.exe
544	sc.exe
1824	sc.exe
1444	sc.exe
1632	sc.exe
2140	sc.exe
2424	sc.exe
2116	sc.exe
2248	sc.exe
1500	sc.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1188 MsiExec.exe

pid	process
1188	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7za.exe7za.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\PackageName = "Installer (3).msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\PackageCode = "CD1F68DD74BB536438560605A247339F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2DEF96737D80A8B49B7F51984F3C38C7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2DEF96737D80A8B49B7F51984F3C38C7\ProdFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\2DEF96737D80A8B49B7F51984F3C38C7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\ProductName = "Setup"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\Version = "16973828"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

7za.exe

pid process

2400 7za.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

msiexec.exeMsiExec.exe

pid process

2056 msiexec.exe
2056 msiexec.exe
1188 MsiExec.exe
1188 MsiExec.exe
1188 MsiExec.exe
1188 MsiExec.exe
1188 MsiExec.exe

pid	process
2400	7za.exe

pid	process
2056	msiexec.exe
2056	msiexec.exe
1188	MsiExec.exe
1188	MsiExec.exe
1188	MsiExec.exe
1188	MsiExec.exe
1188	MsiExec.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeSecurityPrivilege	2056	msiexec.exe
Token: SeCreateTokenPrivilege	2988	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2988	msiexec.exe
Token: SeLockMemoryPrivilege	2988	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2988	msiexec.exe
Token: SeMachineAccountPrivilege	2988	msiexec.exe
Token: SeTcbPrivilege	2988	msiexec.exe
Token: SeSecurityPrivilege	2988	msiexec.exe
Token: SeTakeOwnershipPrivilege	2988	msiexec.exe
Token: SeLoadDriverPrivilege	2988	msiexec.exe
Token: SeSystemProfilePrivilege	2988	msiexec.exe
Token: SeSystemtimePrivilege	2988	msiexec.exe
Token: SeProfSingleProcessPrivilege	2988	msiexec.exe
Token: SeIncBasePriorityPrivilege	2988	msiexec.exe
Token: SeCreatePagefilePrivilege	2988	msiexec.exe
Token: SeCreatePermanentPrivilege	2988	msiexec.exe
Token: SeBackupPrivilege	2988	msiexec.exe
Token: SeRestorePrivilege	2988	msiexec.exe
Token: SeShutdownPrivilege	2988	msiexec.exe
Token: SeDebugPrivilege	2988	msiexec.exe
Token: SeAuditPrivilege	2988	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2988	msiexec.exe
Token: SeChangeNotifyPrivilege	2988	msiexec.exe
Token: SeRemoteShutdownPrivilege	2988	msiexec.exe
Token: SeUndockPrivilege	2988	msiexec.exe
Token: SeSyncAgentPrivilege	2988	msiexec.exe
Token: SeEnableDelegationPrivilege	2988	msiexec.exe
Token: SeManageVolumePrivilege	2988	msiexec.exe
Token: SeImpersonatePrivilege	2988	msiexec.exe
Token: SeCreateGlobalPrivilege	2988	msiexec.exe
Token: SeBackupPrivilege	2200	vssvc.exe
Token: SeRestorePrivilege	2200	vssvc.exe
Token: SeAuditPrivilege	2200	vssvc.exe
Token: SeBackupPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2888	DrvInst.exe
Token: SeLoadDriverPrivilege	2888	DrvInst.exe
Token: SeLoadDriverPrivilege	2888	DrvInst.exe
Token: SeLoadDriverPrivilege	2888	DrvInst.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe
Token: SeTakeOwnershipPrivilege	2056	msiexec.exe
Token: SeRestorePrivilege	2056	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

2988 msiexec.exe

pid	process
2988	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.execmd.exeMsiExec.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2056 wrote to memory of 1188	2056	msiexec.exe	MsiExec.exe
PID 2056 wrote to memory of 1188	2056	msiexec.exe	MsiExec.exe
PID 2056 wrote to memory of 1188	2056	msiexec.exe	MsiExec.exe
PID 2056 wrote to memory of 1188	2056	msiexec.exe	MsiExec.exe
PID 2056 wrote to memory of 1188	2056	msiexec.exe	MsiExec.exe
PID 1680 wrote to memory of 1960	1680	cmd.exe	sc.exe
PID 1680 wrote to memory of 1960	1680	cmd.exe	sc.exe
PID 1680 wrote to memory of 1960	1680	cmd.exe	sc.exe
PID 1188 wrote to memory of 2012	1188	MsiExec.exe	7za.exe
PID 1188 wrote to memory of 2012	1188	MsiExec.exe	7za.exe
PID 1188 wrote to memory of 2012	1188	MsiExec.exe	7za.exe
PID 1188 wrote to memory of 2012	1188	MsiExec.exe	7za.exe
PID 1188 wrote to memory of 2232	1188	MsiExec.exe	cmd.exe
PID 1188 wrote to memory of 2232	1188	MsiExec.exe	cmd.exe
PID 1188 wrote to memory of 2232	1188	MsiExec.exe	cmd.exe
PID 2232 wrote to memory of 2400	2232	cmd.exe	7za.exe
PID 2232 wrote to memory of 2400	2232	cmd.exe	7za.exe
PID 2232 wrote to memory of 2400	2232	cmd.exe	7za.exe
PID 2232 wrote to memory of 2400	2232	cmd.exe	7za.exe
PID 572 wrote to memory of 1444	572	cmd.exe	sc.exe
PID 572 wrote to memory of 1444	572	cmd.exe	sc.exe
PID 572 wrote to memory of 1444	572	cmd.exe	sc.exe
PID 2216 wrote to memory of 660	2216	cmd.exe	sc.exe
PID 2216 wrote to memory of 660	2216	cmd.exe	sc.exe
PID 2216 wrote to memory of 660	2216	cmd.exe	sc.exe
PID 448 wrote to memory of 1088	448	cmd.exe	sc.exe
PID 448 wrote to memory of 1088	448	cmd.exe	sc.exe
PID 448 wrote to memory of 1088	448	cmd.exe	sc.exe
PID 2168 wrote to memory of 1708	2168	cmd.exe	sc.exe
PID 2168 wrote to memory of 1708	2168	cmd.exe	sc.exe
PID 2168 wrote to memory of 1708	2168	cmd.exe	sc.exe
PID 1276 wrote to memory of 1540	1276	cmd.exe	sc.exe
PID 1276 wrote to memory of 1540	1276	cmd.exe	sc.exe
PID 1276 wrote to memory of 1540	1276	cmd.exe	sc.exe
PID 1308 wrote to memory of 1560	1308	cmd.exe	sc.exe
PID 1308 wrote to memory of 1560	1308	cmd.exe	sc.exe
PID 1308 wrote to memory of 1560	1308	cmd.exe	sc.exe
PID 2380 wrote to memory of 1632	2380	cmd.exe	sc.exe
PID 2380 wrote to memory of 1632	2380	cmd.exe	sc.exe
PID 2380 wrote to memory of 1632	2380	cmd.exe	sc.exe
PID 544 wrote to memory of 1780	544	cmd.exe	sc.exe
PID 544 wrote to memory of 1780	544	cmd.exe	sc.exe
PID 544 wrote to memory of 1780	544	cmd.exe	sc.exe
PID 304 wrote to memory of 2424	304	cmd.exe	sc.exe
PID 304 wrote to memory of 2424	304	cmd.exe	sc.exe
PID 304 wrote to memory of 2424	304	cmd.exe	sc.exe
PID 580 wrote to memory of 1516	580	cmd.exe	sc.exe
PID 580 wrote to memory of 1516	580	cmd.exe	sc.exe
PID 580 wrote to memory of 1516	580	cmd.exe	sc.exe
PID 2524 wrote to memory of 996	2524	cmd.exe	sc.exe
PID 2524 wrote to memory of 996	2524	cmd.exe	sc.exe
PID 2524 wrote to memory of 996	2524	cmd.exe	sc.exe
PID 980 wrote to memory of 2480	980	cmd.exe	sc.exe
PID 980 wrote to memory of 2480	980	cmd.exe	sc.exe
PID 980 wrote to memory of 2480	980	cmd.exe	sc.exe
PID 972 wrote to memory of 876	972	cmd.exe	sc.exe
PID 972 wrote to memory of 876	972	cmd.exe	sc.exe
PID 972 wrote to memory of 876	972	cmd.exe	sc.exe
PID 2476 wrote to memory of 2116	2476	cmd.exe	sc.exe
PID 2476 wrote to memory of 2116	2476	cmd.exe	sc.exe
PID 2476 wrote to memory of 2116	2476	cmd.exe	sc.exe
PID 2680 wrote to memory of 2956	2680	cmd.exe	sc.exe
PID 2680 wrote to memory of 2956	2680	cmd.exe	sc.exe
PID 2680 wrote to memory of 2956	2680	cmd.exe	sc.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (3).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2988

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding F3293420DFE159710E17A3B257DDD75C M Global\MSI0000
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Program Files (x86)\Windows NT\7za.exe
    7za.exe x -y data.dat -pa8dtyw9eyfd9aslyd9iald
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2012
- - C:\Windows\system32\cmd.exe
    cmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Program Files (x86)\Windows NT\7za.exe
      7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -f -r -t 00
    3⤵
    PID:2172
  - - C:\Windows\system32\shutdown.exe
      shutdown -f -r -t 00
      4⤵
      PID:1788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000005C8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:1960

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1444

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:660

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1088

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1708

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1540

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1560

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1632

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1780

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:304
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2424

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1516

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:996

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2480

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:876

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2116

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2956

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2692
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2452

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2812
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2340

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2596
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2676

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2612
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2604

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2776
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2236

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2644
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2248

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:940
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2268

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1448
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2080

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1856
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:824

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1824
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2660

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1720
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1364

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2940
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2968
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2140

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2856
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2980

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2948
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2060

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1608
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1568

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2580
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:448

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2912
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:748

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1276
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1788

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2696
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2120

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1648
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:896

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:952
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1780

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:768
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:864

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1476
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2568

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2468
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:996

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:776
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:696

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2164
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1500

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2680
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2280

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2716
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1240

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2852
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2816

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2336
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2676

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:380
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1976
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2360

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2248
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:560

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2268
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1860

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1680
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1620

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1736
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1920

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1720
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1236

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:844
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2700
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2100

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2456
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2980

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2028
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3012

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:660
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:672

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:448
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1180

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1916
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1184

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:112
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2696

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1648
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:544

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1456
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:924

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1836
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:720

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:992
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2284

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:996
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:980

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1556
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2476

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2188
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2680

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2996
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2732

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2852
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2596

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2144
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:272

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1656
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2184

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2764
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1996

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1980
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2064

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1860
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:236

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1960
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1824

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1920
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1720

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1148
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2952

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2700
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2140

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2232
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2216

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1444
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2060

C:\Windows\system32\cmd.exe
cmd /c start shutdown -f -r -t 00
1⤵
PID:2832
- C:\Windows\system32\shutdown.exe
  shutdown -f -r -t 00
  2⤵
  PID:2920

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76eef3.rbs

Filesize
11.8MB

MD5
99d25bebec7405f9a362d00e8a185e39

SHA1
1cd8257f8bc404bd62181d9b2c5191b9ad49fac1

SHA256
d70a3cfb35d28b2307e1a82ff4648c5883a94098364f68129509f765cbffb33a

SHA512
6a17341f429a21839fb3fddde74c7f1f2898427a135f866820237d5b4b37898f732c7e84df2aac52d0bab6b53d42312298d29c4056a3554788c9b8e72713773f

Download Submit
C:\Program Files (x86)\Windows NT\7za.bin

Filesize
577KB

MD5
f77c0b61806b6865c888592e178294c3

SHA1
e9e0b393cc977fbdbc44fe19d92879a38a4dad0c

SHA256
b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82

SHA512
b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12

Download Submit
C:\Program Files (x86)\Windows NT\7za.exe

Filesize
577KB

MD5
fbc6e272e89203cb9ddb3f88b4954deb

SHA1
fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d

SHA256
99026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6

SHA512
b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425

Download Submit
C:\Program Files (x86)\Windows NT\data.bin

Filesize
212KB

MD5
a299612c32a1f0ed19692cb5b8ce8b52

SHA1
af17fd3ebe8887438542e5747f3158fed262dcbd

SHA256
0a31fdd828093a5f0e2f3521c79bc20c38473092a03cca583e91bbb4e436d6a4

SHA512
1df0e5ed0650b05114cb779e02d8a584aaf4921ef88dd14123be8eb9398dbe09da3d180d06bbb3da586baf56952b18e5f9cbadc4ce4a2ef56ac720ba00f6c5e4

Download Submit
C:\Program Files (x86)\Windows NT\data.dat

Filesize
212KB

MD5
d730267cc55e05f10d6610340b18df20

SHA1
be4fcea88a53230ca9277fe714bf0e7b38b08909

SHA256
25e85831759cf8217db51aef24346c78368d5d87362e13ce2ef68fd515b03fed

SHA512
0bfcd1ace4c9674c388d5c2bec470674e1c1a6cc6d6482aa2268af2695a5eac2300e7ec144d703d483f1894adbd5e94070917f76590f7397a6e500a3bc5619ea

Download Submit
C:\Program Files (x86)\Windows NT\locale.bin

Filesize
55KB

MD5
95ef3afe0bc5d1cbdba8ea52fed6b9d5

SHA1
01557bdd7b3cd39fe0aa769d49408d69bf951e63

SHA256
f57bd6fadf5db0ad99e06ae48a356cefb3f2436183eda266a7fb3c4aea8d991e

SHA512
53b3d20076e7a38cafa2d064cefd80f3232b82e96b9325c607e2c68e5aa3d18c6a13b948ef7166da73189942b0ccbfebd472423aa7aa7f6e4c9a3a0b9e0e864d

Download Submit
C:\Program Files (x86)\Windows NT\locale2.bin

Filesize
55KB

MD5
73f8d8d2e4f083b8673a84709528f695

SHA1
456ef9e17cd704050b8a65adaad6ef4f8b620a1d

SHA256
55df9a058d76a769841aae219da1d464436dd1434e3528200b01ded2b7c750f6

SHA512
8ba2150bc24c70146b763d22238c0b569870088e24ea272708820badfad26fbbf6d6e0a4d413de61e0a019ef2d0f7d9f2634ef55cc1cf1584522206a7b5452f1

Download Submit
C:\Program Files (x86)\Windows NT\locale3.bin

Filesize
29KB

MD5
a8135a41e08677cad9122aa96361b1fa

SHA1
3fe0adf5dd66dec528bd7b5252a785425a9b608a

SHA256
14c1dd444a3e0604da6b30542d409fe3917fe8548473f16bb49d26c0d61eeb4a

SHA512
6064f813f887672b41d212c3170249da0451fbe79335af3afe96f7cbe7df14ee98f27bcf158abf4da5c74e6120bd3a12ebc6cdc28b14851a8c910b598351d224

Download Submit
C:\Program Files (x86)\Windows NT\locale3.dat

Filesize
29KB

MD5
c6cd33f25c71000e089e3ba2a18e907a

SHA1
853f963fd6edcb07e199c20eac25177f2894c5ba

SHA256
161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c

SHA512
a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7

Download Submit
C:\Program Files (x86)\Windows NT\locale4.bin

Filesize
73KB

MD5
3f1d2a17a706268d2ca80576e6906c59

SHA1
89e95ddad035a61baf47a737ae5fb6067d10d57e

SHA256
f7c0f83a521d1a157f86b9643513e726985300c374193b1256696a041225a213

SHA512
dd1f841da013ada0a753fac4a41383e9c490903f09a2e543eb8488fbf21e8ca7c2dbb6a4142c38eadb983e02fde0134a71acdcf91308959c249c795ebea1e9f7

Download Submit
C:\Windows\Installer\MSIF0F6.tmp

Filesize
11.8MB

MD5
14ebd2b284bfded84986345558e6c8b4

SHA1
a69be1a9f80146915cbb26264b015c5240fa1650

SHA256
8ff935a4b5d7ff3b39025de7bb7fcb301995d70006edf1488bbd0880926d82c9

SHA512
b7339d43648895e1490e9d618aa5259bb00b37df416534eca4e97dc6cb46c2de83e6ce4a82c534a5b610e74eabe51bbc694f908268dcd91127f0cbc1b243e60c

Download Submit
C:\Windows\Installer\f76eef1.msi

Filesize
12.4MB

MD5
0b6f567d2d08cf51fab3a4c156973ec5

SHA1
3693e4e6eb7ac5fad966c77eb4b38cd2cc4c9a20

SHA256
55bcd5d30a281d4df8ab11da0b6bc8773ee09b9da0537f826ae9bfa06d91b441

SHA512
d9fda950dcb9811e0e3c1d5542933754286fb5335e4062ab49622aba86636ab771f02c6d0d9c46942f2dc9c6d0c86bc3057d862fbd35483fd7e60a635a8048b0

Download Submit
memory/1188-21-0x0000000077170000-0x0000000077172000-memory.dmp

Filesize
8KB

Download
memory/1188-28-0x0000000077180000-0x0000000077182000-memory.dmp

Filesize
8KB

Download
memory/1188-23-0x0000000077170000-0x0000000077172000-memory.dmp

Filesize
8KB

Download
memory/1188-24-0x0000000077180000-0x0000000077182000-memory.dmp

Filesize
8KB

Download
memory/1188-26-0x0000000077180000-0x0000000077182000-memory.dmp

Filesize
8KB

Download
memory/1188-30-0x000007FEF49E0000-0x000007FEF5D57000-memory.dmp

Filesize
19.5MB

Download
memory/1188-19-0x0000000077170000-0x0000000077172000-memory.dmp

Filesize
8KB

Download

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

pid	process
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476
476