55bcd5d30a281d4df8ab11da0b6bc8773ee09b9da0537f826ae9bfa06d91b441

Analysis

max time kernel
43s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:55

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Installer (3).msi
Size

12.4MB
MD5

0b6f567d2d08cf51fab3a4c156973ec5
SHA1

3693e4e6eb7ac5fad966c77eb4b38cd2cc4c9a20
SHA256

55bcd5d30a281d4df8ab11da0b6bc8773ee09b9da0537f826ae9bfa06d91b441
SHA512

d9fda950dcb9811e0e3c1d5542933754286fb5335e4062ab49622aba86636ab771f02c6d0d9c46942f2dc9c6d0c86bc3057d862fbd35483fd7e60a635a8048b0
SSDEEP

196608:E34AwVjpluzSl00psVS1HmLPFKwurgtJfG/u8WA/5w8jKcxRi5ilN6QCfjhKb0:RAwVjpD6S2/uoJfe1RwSLTNT

Score

8^/10

discovery execution persistence

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3032	MsiExec.exe
3032	MsiExec.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\locale2.bin	7za.exe
File opened for modification	C:\Program Files (x86)\Windows NT\locale3.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale4.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale4.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\tProtect.dll	7za.exe
File created	C:\Program Files (x86)\Windows NT\data.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale.bin	7za.exe
File opened for modification	C:\Program Files (x86)\Windows NT\locale.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale3.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\7za.exe	MsiExec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\locale4.bin	7za.exe
File created	C:\Program Files (x86)\Windows NT\locale.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale2.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale3.dat	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\7za.bin	msiexec.exe
File created	C:\Program Files (x86)\Windows NT\data.bin	msiexec.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Update.png	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\INIT.DAT	MsiExec.exe
File created	C:\Program Files (x86)\Windows NT\locale2.bin	7za.exe
File opened for modification	C:\Program Files (x86)\Windows NT\tProtect.dll	7za.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57f898.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3769FED2-08D7-4B8A-B9F7-1589F4C3837C}	msiexec.exe
File created	C:\Windows\Installer\e57f89a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB49.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f898.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9B2.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
5072	7za.exe
3088	7za.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4368	sc.exe
2640	sc.exe
4324	sc.exe
3132	sc.exe
3228	sc.exe
1576	sc.exe
4912	sc.exe
220	sc.exe
3584	sc.exe
3100	sc.exe
4500	sc.exe
628	sc.exe
3360	sc.exe
4620	sc.exe
3000	sc.exe
1732	sc.exe
372	sc.exe
4840	sc.exe
4548	sc.exe
4664	sc.exe
3156	sc.exe
944	sc.exe
3156	sc.exe
3568	sc.exe
4948	sc.exe
4952	sc.exe
3112	sc.exe
1248	sc.exe
1540	sc.exe
4104	sc.exe
4616	sc.exe
1376	sc.exe
5008	sc.exe
2292	sc.exe
840	sc.exe
1240	sc.exe
4912	sc.exe
2164	sc.exe
2116	sc.exe
3528	sc.exe
4892	sc.exe
2192	sc.exe
4892	sc.exe
1724	sc.exe
4456	sc.exe
1144	sc.exe
4900	sc.exe
2000	sc.exe
4560	sc.exe
1592	sc.exe
4080	sc.exe
4896	sc.exe
1064	sc.exe
2476	sc.exe
4664	sc.exe
3232	sc.exe
4508	sc.exe
4356	sc.exe
3548	sc.exe
2508	sc.exe
2476	sc.exe
5076	sc.exe
1368	sc.exe
4092	sc.exe

Loads dropped DLL 1 IoCs

pid	Process
3032	MsiExec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "46"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Magisk	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Magisk\ring3_username = "Admin"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\PackageName = "Installer (3).msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2DEF96737D80A8B49B7F51984F3C38C7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2DEF96737D80A8B49B7F51984F3C38C7\ProdFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\PackageCode = "CD1F68DD74BB536438560605A247339F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\ProductName = "Setup"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\Version = "16973828"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ABCBC521D000113428DCA4ABCB7D434C\2DEF96737D80A8B49B7F51984F3C38C7	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2DEF96737D80A8B49B7F51984F3C38C7\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
636	msiexec.exe
636	msiexec.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1848	msiexec.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeCreateTokenPrivilege	1848	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1848	msiexec.exe
Token: SeLockMemoryPrivilege	1848	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1848	msiexec.exe
Token: SeMachineAccountPrivilege	1848	msiexec.exe
Token: SeTcbPrivilege	1848	msiexec.exe
Token: SeSecurityPrivilege	1848	msiexec.exe
Token: SeTakeOwnershipPrivilege	1848	msiexec.exe
Token: SeLoadDriverPrivilege	1848	msiexec.exe
Token: SeSystemProfilePrivilege	1848	msiexec.exe
Token: SeSystemtimePrivilege	1848	msiexec.exe
Token: SeProfSingleProcessPrivilege	1848	msiexec.exe
Token: SeIncBasePriorityPrivilege	1848	msiexec.exe
Token: SeCreatePagefilePrivilege	1848	msiexec.exe
Token: SeCreatePermanentPrivilege	1848	msiexec.exe
Token: SeBackupPrivilege	1848	msiexec.exe
Token: SeRestorePrivilege	1848	msiexec.exe
Token: SeShutdownPrivilege	1848	msiexec.exe
Token: SeDebugPrivilege	1848	msiexec.exe
Token: SeAuditPrivilege	1848	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1848	msiexec.exe
Token: SeChangeNotifyPrivilege	1848	msiexec.exe
Token: SeRemoteShutdownPrivilege	1848	msiexec.exe
Token: SeUndockPrivilege	1848	msiexec.exe
Token: SeSyncAgentPrivilege	1848	msiexec.exe
Token: SeEnableDelegationPrivilege	1848	msiexec.exe
Token: SeManageVolumePrivilege	1848	msiexec.exe
Token: SeImpersonatePrivilege	1848	msiexec.exe
Token: SeCreateGlobalPrivilege	1848	msiexec.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeBackupPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1848	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4560	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4892	636	msiexec.exe	94
PID 636 wrote to memory of 4892	636	msiexec.exe	94
PID 636 wrote to memory of 3032	636	msiexec.exe	96
PID 636 wrote to memory of 3032	636	msiexec.exe	96
PID 1944 wrote to memory of 4900	1944	cmd.exe	98
PID 1944 wrote to memory of 4900	1944	cmd.exe	98
PID 3032 wrote to memory of 5072	3032	MsiExec.exe	100
PID 3032 wrote to memory of 5072	3032	MsiExec.exe	100
PID 3032 wrote to memory of 5072	3032	MsiExec.exe	100
PID 3032 wrote to memory of 4248	3032	MsiExec.exe	102
PID 3032 wrote to memory of 4248	3032	MsiExec.exe	102
PID 4248 wrote to memory of 3088	4248	cmd.exe	104
PID 4248 wrote to memory of 3088	4248	cmd.exe	104
PID 4248 wrote to memory of 3088	4248	cmd.exe	104
PID 2688 wrote to memory of 4912	2688	cmd.exe	106
PID 2688 wrote to memory of 4912	2688	cmd.exe	106
PID 2528 wrote to memory of 4020	2528	cmd.exe	109
PID 2528 wrote to memory of 4020	2528	cmd.exe	109
PID 3744 wrote to memory of 4948	3744	cmd.exe	112
PID 3744 wrote to memory of 4948	3744	cmd.exe	112
PID 4868 wrote to memory of 4356	4868	cmd.exe	115
PID 4868 wrote to memory of 4356	4868	cmd.exe	115
PID 4304 wrote to memory of 3548	4304	cmd.exe	118
PID 4304 wrote to memory of 3548	4304	cmd.exe	118
PID 2792 wrote to memory of 4896	2792	cmd.exe	121
PID 2792 wrote to memory of 4896	2792	cmd.exe	121
PID 3048 wrote to memory of 2292	3048	cmd.exe	124
PID 3048 wrote to memory of 2292	3048	cmd.exe	124
PID 2692 wrote to memory of 2000	2692	cmd.exe	128
PID 2692 wrote to memory of 2000	2692	cmd.exe	128
PID 3496 wrote to memory of 2476	3496	cmd.exe	131
PID 3496 wrote to memory of 2476	3496	cmd.exe	131
PID 2248 wrote to memory of 4328	2248	cmd.exe	134
PID 2248 wrote to memory of 4328	2248	cmd.exe	134
PID 5108 wrote to memory of 1368	5108	cmd.exe	137
PID 5108 wrote to memory of 1368	5108	cmd.exe	137
PID 4900 wrote to memory of 4952	4900	cmd.exe	140
PID 4900 wrote to memory of 4952	4900	cmd.exe	140
PID 4620 wrote to memory of 3112	4620	cmd.exe	143
PID 4620 wrote to memory of 3112	4620	cmd.exe	143
PID 1456 wrote to memory of 1064	1456	cmd.exe	146
PID 1456 wrote to memory of 1064	1456	cmd.exe	146
PID 5088 wrote to memory of 4092	5088	cmd.exe	149
PID 5088 wrote to memory of 4092	5088	cmd.exe	149
PID 3612 wrote to memory of 628	3612	cmd.exe	152
PID 3612 wrote to memory of 628	3612	cmd.exe	152
PID 2652 wrote to memory of 2640	2652	cmd.exe	155
PID 2652 wrote to memory of 2640	2652	cmd.exe	155
PID 2356 wrote to memory of 4996	2356	cmd.exe	158
PID 2356 wrote to memory of 4996	2356	cmd.exe	158
PID 4948 wrote to memory of 4104	4948	cmd.exe	161
PID 4948 wrote to memory of 4104	4948	cmd.exe	161
PID 4504 wrote to memory of 1504	4504	cmd.exe	164
PID 4504 wrote to memory of 1504	4504	cmd.exe	164
PID 3228 wrote to memory of 4912	3228	cmd.exe	167
PID 3228 wrote to memory of 4912	3228	cmd.exe	167
PID 4896 wrote to memory of 2620	4896	cmd.exe	170
PID 4896 wrote to memory of 2620	4896	cmd.exe	170
PID 2944 wrote to memory of 372	2944	cmd.exe	174
PID 2944 wrote to memory of 372	2944	cmd.exe	174
PID 456 wrote to memory of 1248	456	cmd.exe	177
PID 456 wrote to memory of 1248	456	cmd.exe	177
PID 4500 wrote to memory of 2248	4500	cmd.exe	180
PID 4500 wrote to memory of 2248	4500	cmd.exe	180

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Installer (3).msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1848

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4892
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0C3F4C2B1BF077CDD3A2F79B9F6A56C9 E Global\MSI0000
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Program Files (x86)\Windows NT\7za.exe
    7za.exe x -y data.dat -pa8dtyw9eyfd9aslyd9iald
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5072
- - C:\Windows\System32\cmd.exe
    cmd.exe /c 7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Program Files (x86)\Windows NT\7za.exe
      7za.exe x -bd -y locale3.dat -pasfasdf79yf9layslofs
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c shutdown -f -r -t 00
    3⤵
    PID:1008
  - - C:\Windows\system32\shutdown.exe
      shutdown -f -r -t 00
      4⤵
      PID:1416

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\cmd.exe
cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Windows\system32\sc.exe
  sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
  2⤵
  - Launches sc.exe
  PID:4900

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4912

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4020

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4948

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4356

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3548

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4896

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2292

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2000

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2476

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4328

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1368

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4952

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3112

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1064

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4092

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:628

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2640

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4996

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4104

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1504

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4912

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2620

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:372

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1248

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2248

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2576
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4664

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4944
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:840

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3272
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2508

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2744
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1540

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4892
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4796

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4072
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1240

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4732
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4840

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4020
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2192

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4332
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4548

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2596
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4472

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:212
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4324

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4668
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3132

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4864
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4616

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:436
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:3704

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1248
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2476

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2236
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3360

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4544
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:944

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1376
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4620

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4452
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3232

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3736
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4892

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3612
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:5076

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4732
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1724

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2356
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4508

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3528
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4456

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2164
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3228

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4784
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4912

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4660
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1576

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:372
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3000

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4752
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3156

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3496
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3568

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3244
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4664

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:860
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4560

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1992
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:220

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1032
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1540

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4892
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1144

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4116
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2116

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2528
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1600

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4948
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3528

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2596
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:2164

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1336
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:1840

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4660
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4536

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1988
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1592

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3028
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3156

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2052
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2576

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4664
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4952

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4560
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1376

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2372
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4080

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2920
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4892

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4812
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:1732

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:2528
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3100

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:4948
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4368

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3752
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:2468

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3164
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:5008

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:116
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  PID:4864

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:3812
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:3584

C:\Windows\system32\cmd.exe
cmd /c start sc start CleverSoar
1⤵
PID:1348
- C:\Windows\system32\sc.exe
  sc start CleverSoar
  2⤵
  - Launches sc.exe
  PID:4500

C:\Windows\system32\cmd.exe
cmd /c start shutdown -f -r -t 00
1⤵
PID:4944
- C:\Windows\system32\shutdown.exe
  shutdown -f -r -t 00
  2⤵
  PID:2576

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa392f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f899.rbs

Filesize
11.8MB

MD5
e8e7caed3f484f2d37ec0e2bc196444b

SHA1
b53d479739d9d5d373505d53fab92792225441e8

SHA256
be4a128ef4799acbee6083d1550310931cab1aaefe41c36e4aa4892560134929

SHA512
34f35cdec775dbbfbc58d29689fcce5929537a749157a1c732b01be08caf3483209b042b71c1544d28be42af594ac3774b7586766eb28c5b4d2a24723c722417

Download Submit
C:\Program Files (x86)\Windows NT\7za.bin

Filesize
577KB

MD5
f77c0b61806b6865c888592e178294c3

SHA1
e9e0b393cc977fbdbc44fe19d92879a38a4dad0c

SHA256
b85490de04744a2e30a815bfad752b520e87f71a1ce92dd23a0ed975b4836c82

SHA512
b4214f31ce76ba40d57ff64d204b3e0943a66e0b58302a22a92dbba98b847cbd6191a780e8940bea0498771a207c7024370b61fcbf310b22824d2b632efa7f12

Download Submit
C:\Program Files (x86)\Windows NT\7za.exe

Filesize
577KB

MD5
fbc6e272e89203cb9ddb3f88b4954deb

SHA1
fc75778e7e0c9f1bb67bc1097fdb9a5bcd5e7a0d

SHA256
99026dc8b99c6ea934b943f41a543f39040d837650d7f185ebd9f147a49ea1b6

SHA512
b010571d7924e35feedc32ad82020dc85903cf4e8a606ee055f6f4f6485982839ad1bad83f56301610d9b063a7fe55d403e6113a8c285c06d96c9b3ec8783425

Download Submit
C:\Program Files (x86)\Windows NT\data.bin

Filesize
212KB

MD5
a299612c32a1f0ed19692cb5b8ce8b52

SHA1
af17fd3ebe8887438542e5747f3158fed262dcbd

SHA256
0a31fdd828093a5f0e2f3521c79bc20c38473092a03cca583e91bbb4e436d6a4

SHA512
1df0e5ed0650b05114cb779e02d8a584aaf4921ef88dd14123be8eb9398dbe09da3d180d06bbb3da586baf56952b18e5f9cbadc4ce4a2ef56ac720ba00f6c5e4

Download Submit
C:\Program Files (x86)\Windows NT\data.dat

Filesize
212KB

MD5
d730267cc55e05f10d6610340b18df20

SHA1
be4fcea88a53230ca9277fe714bf0e7b38b08909

SHA256
25e85831759cf8217db51aef24346c78368d5d87362e13ce2ef68fd515b03fed

SHA512
0bfcd1ace4c9674c388d5c2bec470674e1c1a6cc6d6482aa2268af2695a5eac2300e7ec144d703d483f1894adbd5e94070917f76590f7397a6e500a3bc5619ea

Download Submit
C:\Program Files (x86)\Windows NT\locale.bin

Filesize
55KB

MD5
95ef3afe0bc5d1cbdba8ea52fed6b9d5

SHA1
01557bdd7b3cd39fe0aa769d49408d69bf951e63

SHA256
f57bd6fadf5db0ad99e06ae48a356cefb3f2436183eda266a7fb3c4aea8d991e

SHA512
53b3d20076e7a38cafa2d064cefd80f3232b82e96b9325c607e2c68e5aa3d18c6a13b948ef7166da73189942b0ccbfebd472423aa7aa7f6e4c9a3a0b9e0e864d

Download Submit
C:\Program Files (x86)\Windows NT\locale2.bin

Filesize
55KB

MD5
73f8d8d2e4f083b8673a84709528f695

SHA1
456ef9e17cd704050b8a65adaad6ef4f8b620a1d

SHA256
55df9a058d76a769841aae219da1d464436dd1434e3528200b01ded2b7c750f6

SHA512
8ba2150bc24c70146b763d22238c0b569870088e24ea272708820badfad26fbbf6d6e0a4d413de61e0a019ef2d0f7d9f2634ef55cc1cf1584522206a7b5452f1

Download Submit
C:\Program Files (x86)\Windows NT\locale3.bin

Filesize
29KB

MD5
a8135a41e08677cad9122aa96361b1fa

SHA1
3fe0adf5dd66dec528bd7b5252a785425a9b608a

SHA256
14c1dd444a3e0604da6b30542d409fe3917fe8548473f16bb49d26c0d61eeb4a

SHA512
6064f813f887672b41d212c3170249da0451fbe79335af3afe96f7cbe7df14ee98f27bcf158abf4da5c74e6120bd3a12ebc6cdc28b14851a8c910b598351d224

Download Submit
C:\Program Files (x86)\Windows NT\locale3.dat

Filesize
29KB

MD5
c6cd33f25c71000e089e3ba2a18e907a

SHA1
853f963fd6edcb07e199c20eac25177f2894c5ba

SHA256
161196b017d1fa466c9b806e2d62614026e9d34958eb47af0dab270f4eca881c

SHA512
a27b014fc0df449a39111067ce21ba3ef2ead39d1a2abad9d9e61a60b43f53d50d2789a61961dced1fe3782d55e42fc084fa06eec335a51b802d6a4c13436bd7

Download Submit
C:\Program Files (x86)\Windows NT\locale4.bin

Filesize
73KB

MD5
3f1d2a17a706268d2ca80576e6906c59

SHA1
89e95ddad035a61baf47a737ae5fb6067d10d57e

SHA256
f7c0f83a521d1a157f86b9643513e726985300c374193b1256696a041225a213

SHA512
dd1f841da013ada0a753fac4a41383e9c490903f09a2e543eb8488fbf21e8ca7c2dbb6a4142c38eadb983e02fde0134a71acdcf91308959c249c795ebea1e9f7

Download Submit
C:\Windows\Installer\MSIFB49.tmp

Filesize
11.8MB

MD5
14ebd2b284bfded84986345558e6c8b4

SHA1
a69be1a9f80146915cbb26264b015c5240fa1650

SHA256
8ff935a4b5d7ff3b39025de7bb7fcb301995d70006edf1488bbd0880926d82c9

SHA512
b7339d43648895e1490e9d618aa5259bb00b37df416534eca4e97dc6cb46c2de83e6ce4a82c534a5b610e74eabe51bbc694f908268dcd91127f0cbc1b243e60c

Download Submit
C:\Windows\Installer\e57f898.msi

Filesize
12.4MB

MD5
0b6f567d2d08cf51fab3a4c156973ec5

SHA1
3693e4e6eb7ac5fad966c77eb4b38cd2cc4c9a20

SHA256
55bcd5d30a281d4df8ab11da0b6bc8773ee09b9da0537f826ae9bfa06d91b441

SHA512
d9fda950dcb9811e0e3c1d5542933754286fb5335e4062ab49622aba86636ab771f02c6d0d9c46942f2dc9c6d0c86bc3057d862fbd35483fd7e60a635a8048b0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
2406d46d70ec3c204d1d2c71c781651c

SHA1
42a5142c8cabb05f8ae065946c31f5b71a8cb034

SHA256
5d27971e28f3202d2a97e857999cd790bd65ba447686bac69a9625d2eb95db10

SHA512
a1fd4958eec5f55e5be3f39b34021ccbd8a0e82be63a689c03864527d4a9e95744ab1b07aea6780f5b15a78f7ccfdb8d65b90438243288741de52f4b11c1e629

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e6133c5d-63bf-40df-8c49-979024f7c8a7}_OnDiskSnapshotProp

Filesize
6KB

MD5
36034a202a257a593ed397941ccc47e4

SHA1
7d8df719c3db6a8098b341d330509c47eed08438

SHA256
8fead03bb13b6206ac5590613ea912aca4f06d1d5f5a6290dbe9a1ae9a01c277

SHA512
fa6be611dffd50ca3d8fbe6c03058f00a0b20ae6beffee6d27587df27fe0e9bc44d4753b497c098a9012c233155813081a05b09ff73818198f6f577a9bed93d3

Download Submit
memory/3032-24-0x00007FFEF4670000-0x00007FFEF59E7000-memory.dmp

Filesize
19.5MB

Download
memory/3032-22-0x00007FFF151D0000-0x00007FFF151D2000-memory.dmp

Filesize
8KB

Download
memory/3032-23-0x00007FFF151E0000-0x00007FFF151E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads