Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.2.exe

Overview

General Information

Sample name: #U5b89#U88c5#U52a9#U624b1.0.2.exe
renamed because original name is a hash value
Original sample name: 1.0.2.exe
Analysis ID: 1580228
MD5: 315719354db8520278ae3d022b90da14
SHA1: 46a92e47bdea70bef469eca470bb3b280f0fcd06
SHA256: e9d2969683bcc59dee33d048904b3bfb7af7b140ce360a326bb5bb9b3ef3b57e
Tags: exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: C:\Program Files (x86)\Windows NT\hrsw.vbc Virustotal: Detection: 15% Perma Link
Source: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vac Virustotal: Detection: 15% Perma Link
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Virustotal: Detection: 6% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.4% probability
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1742828875.0000000003420000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1742694432.0000000003220000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7AAEC0 FindFirstFileA,FindClose, 5_2_6C7AAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B86868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 9_2_00B86868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B87496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 9_2_00B87496
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1865180267.000000006C7E8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000002.1862561976.0000000003E8C000.00000004.00001000.00020000.00000000.sdmp, update.vac.5.dr, hrsw.vbc.5.dr, 7zr.exe.5.dr, update.vac.1.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689106529.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689779279.000000007F44B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1691453628.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000000.1711906120.00000000005BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr String found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689106529.0000000002CF0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689779279.000000007F44B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000001.00000000.1691453628.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp, 00000005.00000000.1711906120.00000000005BD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr, #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C633886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 5_2_6C633886
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7B5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle, 5_2_6C7B5120
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C633C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 5_2_6C633C62
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C633D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 5_2_6C633D62
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7B5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 5_2_6C7B5D60
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C633D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 5_2_6C633D18
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C6339CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 5_2_6C6339CF
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C633A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 5_2_6C633A6A
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C631950: CreateFileA,DeviceIoControl,CloseHandle, 5_2_6C631950
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C634754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor, 5_2_6C634754
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C634754 5_2_6C634754
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C644A27 5_2_6C644A27
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7B1880 5_2_6C7B1880
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7B6A43 5_2_6C7B6A43
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C816CE0 5_2_6C816CE0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C863D50 5_2_6C863D50
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C869E80 5_2_6C869E80
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C802EC9 5_2_6C802EC9
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7E8EA1 5_2_6C7E8EA1
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C85E810 5_2_6C85E810
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7E8972 5_2_6C7E8972
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C8699F0 5_2_6C8699F0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C87A930 5_2_6C87A930
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C861AA0 5_2_6C861AA0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C874AA0 5_2_6C874AA0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C85DAD0 5_2_6C85DAD0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C85FA50 5_2_6C85FA50
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7F0BCA 5_2_6C7F0BCA
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C800B66 5_2_6C800B66
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C80540A 5_2_6C80540A
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C862580 5_2_6C862580
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C86F5C0 5_2_6C86F5C0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C8696E0 5_2_6C8696E0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C889700 5_2_6C889700
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7EC7CF 5_2_6C7EC7CF
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C860020 5_2_6C860020
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C873750 5_2_6C873750
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BC81EC 9_2_00BC81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B9E00A 9_2_00B9E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C081C0 9_2_00C081C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C022E0 9_2_00C022E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C18240 9_2_00C18240
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1C3C0 9_2_00C1C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C22300 9_2_00C22300
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C104C8 9_2_00C104C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BEE49F 9_2_00BEE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C025F0 9_2_00C025F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BFA6A0 9_2_00BFA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BF66D0 9_2_00BF66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BF8650 9_2_00BF8650
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1E990 9_2_00C1E990
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BFC950 9_2_00BFC950
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BD0943 9_2_00BD0943
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C02A80 9_2_00C02A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BDAB11 9_2_00BDAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C06CE0 9_2_00C06CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BF8C20 9_2_00BF8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C14EA0 9_2_00C14EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C10E00 9_2_00C10E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BE10AC 9_2_00BE10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C0D089 9_2_00C0D089
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C191C0 9_2_00C191C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BFB180 9_2_00BFB180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C05180 9_2_00C05180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BFD1D0 9_2_00BFD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BEB121 9_2_00BEB121
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C11120 9_2_00C11120
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1D2C0 9_2_00C1D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C17200 9_2_00C17200
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1F3C0 9_2_00C1F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BE53F3 9_2_00BE53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BAB3E4 9_2_00BAB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C0F3A0 9_2_00C0F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B853CF 9_2_00B853CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C154D0 9_2_00C154D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BCD496 9_2_00BCD496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BF7410 9_2_00BF7410
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1D470 9_2_00C1D470
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C0F420 9_2_00C0F420
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1F599 9_2_00C1F599
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C11550 9_2_00C11550
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BFF500 9_2_00BFF500
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B81572 9_2_00B81572
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C2351A 9_2_00C2351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C13530 9_2_00C13530
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C0D6A0 9_2_00C0D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C23601 9_2_00C23601
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BD9652 9_2_00BD9652
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C177C0 9_2_00C177C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B897CA 9_2_00B897CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B99766 9_2_00B99766
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BAF8E0 9_2_00BAF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1D9E0 9_2_00C1D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BFF910 9_2_00BFF910
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B81AA1 9_2_00B81AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C07AF0 9_2_00C07AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BD3AEF 9_2_00BD3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B9BAC9 9_2_00B9BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B9BC92 9_2_00B9BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C07C50 9_2_00C07C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00BFFDF0 9_2_00BFFDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C05E80 9_2_00C05E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C05F80 9_2_00C05F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process token adjusted: Security Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 00C1FB10 appears 720 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 00B828E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 00B81E40 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: String function: 6C886F10 appears 415 times
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: String function: 6C7E9240 appears 31 times
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689779279.000000007F74A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000003.1689106529.0000000002E0E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe, 00000000.00000000.1687448966.0000000000DA9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Binary or memory string: OriginalFileName8yHCrhGsg5TqPsOc.exe vs #U5b89#U88c5#U52a9#U624b1.0.2.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.11.dr Binary string: \Device\TfSysMon
Source: tProtect.dll.11.dr Binary string: \Device\TfKbMonPWLCache
Source: classification engine Classification label: mal92.evad.winEXE@147/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7B5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 5_2_6C7B5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B89313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 9_2_00B89313
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B93D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 9_2_00B93D66
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B89252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW, 9_2_00B89252
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7B5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW, 5_2_6C7B5240
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Program Files (x86)\Windows NT\is-S9CBO.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8064:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7620:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1772:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7652:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7636:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8136:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7764:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7612:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7520:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7316:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe File created: C:\Users\user\AppData\Local\Temp\is-QO799.tmp Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Virustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe File read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Process created: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Process created: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$10488,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Process created: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$20466,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Process created: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp "C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp" /SL5="$10488,5031707,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Static file information: File size 5986125 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000B.00000003.1742828875.0000000003420000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000B.00000003.1742694432.0000000003220000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.11.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 9_2_00C057D0
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Static PE information: real checksum: 0x0 should be: 0x5bdd3b
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x343a0e
Source: update.vac.1.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.5.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr Static PE information: real checksum: 0x0 should be: 0x343a0e
Source: tProtect.dll.11.dr Static PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: hrsw.vbc.5.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.2.exe Static PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.0.dr Static PE information: section name: .didata
Source: update.vac.1.dr Static PE information: section name: .00cfg
Source: update.vac.1.dr Static PE information: section name: .voltbl
Source: update.vac.1.dr Static PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.2.tmp.4.dr Static PE information: section name: .didata
Source: 7zr.exe.5.dr Static PE information: section name: .sxdata
Source: hrsw.vbc.5.dr Static PE information: section name: .00cfg
Source: hrsw.vbc.5.dr Static PE information: section name: .voltbl
Source: hrsw.vbc.5.dr Static PE information: section name: .8Tk
Source: update.vac.5.dr Static PE information: section name: .00cfg
Source: update.vac.5.dr Static PE information: section name: .voltbl
Source: update.vac.5.dr Static PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7B86EB push ecx; ret 5_2_6C7B86FE
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C660F00 push ss; retn 0001h 5_2_6C660F0A
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C886F10 push eax; ret 5_2_6C886F2E
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7EB9F4 push 004AC35Ch; ret 5_2_6C7EBA0E
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C887290 push eax; ret 5_2_6C8872BE
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B845F4 push 00C2C35Ch; ret 9_2_00B8460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1FB10 push eax; ret 9_2_00C1FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C1FE90 push eax; ret 9_2_00C1FEBE
Source: update.vac.1.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.5.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.5.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe File created: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe File created: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Program Files (x86)\Windows NT\7zr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vac Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe File created: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp File created: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\update.vac Jump to dropped file
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5785 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3898 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Window / User API: threadDelayed 673 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Window / User API: threadDelayed 637 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Window / User API: threadDelayed 577 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-HT0ET.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-4RQR5.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe API coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7492 Thread sleep count: 5785 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464 Thread sleep count: 3898 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7576 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7AAEC0 FindFirstFileA,FindClose, 5_2_6C7AAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B86868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 9_2_00B86868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B87496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 9_2_00B87496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B89C60 GetSystemInfo, 9_2_00B89C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C633886 NtSetInformationThread 00000000,00000011,00000000,00000000 5_2_6C633886
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7C0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6C7C0181
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 9_2_00C057D0
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7C9D66 mov eax, dword ptr fs:[00000030h] 5_2_6C7C9D66
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7C9D35 mov eax, dword ptr fs:[00000030h] 5_2_6C7C9D35
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7BF17D mov eax, dword ptr fs:[00000030h] 5_2_6C7BF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7B8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6C7B8CBD
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C7C0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6C7C0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: tProtect.dll.11.dr Static PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-QO799.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.2.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-OEIE1.tmp\#U5b89#U88c5#U52a9#U624b1.0.2.tmp Code function: 5_2_6C887700 cpuid 5_2_6C887700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00B8AB2A GetSystemTimeAsFileTime, 9_2_00B8AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 9_2_00C20090 GetVersion, 9_2_00C20090
No contacted IP infos