Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.1.exe

Overview

General Information

Sample name: #U5b89#U88c5#U52a9#U624b1.0.1.exe
renamed because original name is a hash value
Original sample name: 1.0.1.exe
Analysis ID: 1580229
MD5: f2845d6410a0d9a090d414f3ae742e3b
SHA1: a27e62687254f001c08b5313465d2ed1870f0eb5
SHA256: f56c3d038c408355f6fb191865ca5650b29926f65b78d02b008b509bf640e588
Tags: exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Virustotal: Detection: 6% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 90.5% probability
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2113537072.0000000001380000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2113433554.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9BAEC0 FindFirstFileA,FindClose,FindClose, 6_2_6C9BAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00716868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 10_2_00716868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00717496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 10_2_00717496
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2242082907.00000000047CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000002.2246224413.000000006C9F8000.00000008.00000001.01000000.00000009.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2043797965.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2044209367.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000002.00000000.2046102925.0000000000CE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000000.2069014707.0000000000CCD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr String found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2043797965.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2044209367.000000007F5CB000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000002.00000000.2046102925.0000000000CE1000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000006.00000000.2069014707.0000000000CCD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C843886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C843886
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9C5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle, 6_2_6C9C5120
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C843C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C843C62
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C843D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C843D18
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C843D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C843D62
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9C5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 6_2_6C9C5D60
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C8439CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C8439CF
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C843A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6C843A6A
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C841950: CreateFileA,DeviceIoControl,CloseHandle, 6_2_6C841950
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C844754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor, 6_2_6C844754
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C844754 6_2_6C844754
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C854A27 6_2_6C854A27
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9C1880 6_2_6C9C1880
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9C6A43 6_2_6C9C6A43
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA26CE0 6_2_6CA26CE0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA94DE0 6_2_6CA94DE0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA76D10 6_2_6CA76D10
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9F8EA1 6_2_6C9F8EA1
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA4AEEF 6_2_6CA4AEEF
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA7EEF0 6_2_6CA7EEF0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA12EC9 6_2_6CA12EC9
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA44896 6_2_6CA44896
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA8C8D0 6_2_6CA8C8D0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA86820 6_2_6CA86820
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA6E810 6_2_6CA6E810
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA94870 6_2_6CA94870
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA96999 6_2_6CA96999
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA8A930 6_2_6CA8A930
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA76900 6_2_6CA76900
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA9A91A 6_2_6CA9A91A
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9F8972 6_2_6C9F8972
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA88950 6_2_6CA88950
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA84AA0 6_2_6CA84AA0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA9AA00 6_2_6CA9AA00
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA50A52 6_2_6CA50A52
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA6AB90 6_2_6CA6AB90
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA8EBC0 6_2_6CA8EBC0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA00BCA 6_2_6CA00BCA
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA10B66 6_2_6CA10B66
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA584AC 6_2_6CA584AC
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA84489 6_2_6CA84489
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA7E4D0 6_2_6CA7E4D0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA72580 6_2_6CA72580
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA7C580 6_2_6CA7C580
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA745D0 6_2_6CA745D0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA62521 6_2_6CA62521
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA88520 6_2_6CA88520
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA946C0 6_2_6CA946C0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA8E600 6_2_6CA8E600
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA867A0 6_2_6CA867A0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9FC7CF 6_2_6C9FC7CF
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA5C7F3 6_2_6CA5C7F3
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA967C0 6_2_6CA967C0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA7E0E0 6_2_6CA7E0E0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA70020 6_2_6CA70020
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA8C2A0 6_2_6CA8C2A0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA88200 6_2_6CA88200
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA95D90 6_2_6CA95D90
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA47D43 6_2_6CA47D43
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA73D50 6_2_6CA73D50
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA79E80 6_2_6CA79E80
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA51F11 6_2_6CA51F11
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA6589F 6_2_6CA6589F
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA878C8 6_2_6CA878C8
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA799F0 6_2_6CA799F0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA71AA0 6_2_6CA71AA0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA6DAD0 6_2_6CA6DAD0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA6FA50 6_2_6CA6FA50
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA1540A 6_2_6CA1540A
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA3F5EC 6_2_6CA3F5EC
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA7F5C0 6_2_6CA7F5C0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA796E0 6_2_6CA796E0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA8F640 6_2_6CA8F640
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA6B650 6_2_6CA6B650
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA937C0 6_2_6CA937C0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA99700 6_2_6CA99700
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA13092 6_2_6CA13092
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA7F050 6_2_6CA7F050
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA771F0 6_2_6CA771F0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA7D280 6_2_6CA7D280
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA7D380 6_2_6CA7D380
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA86AF0 6_2_6CA86AF0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA83750 6_2_6CA83750
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007581EC 10_2_007581EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007981C0 10_2_007981C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00784250 10_2_00784250
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A8240 10_2_007A8240
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AC3C0 10_2_007AC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A04C8 10_2_007A04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00788650 10_2_00788650
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0078C950 10_2_0078C950
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00760943 10_2_00760943
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00788C20 10_2_00788C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A0E00 10_2_007A0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A4EA0 10_2_007A4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007710AC 10_2_007710AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0079D089 10_2_0079D089
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A1120 10_2_007A1120
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0078D1D0 10_2_0078D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A91C0 10_2_007A91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00795180 10_2_00795180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AD2C0 10_2_007AD2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007753F3 10_2_007753F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007153CF 10_2_007153CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AD470 10_2_007AD470
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A54D0 10_2_007A54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0075D496 10_2_0075D496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00711572 10_2_00711572
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A1550 10_2_007A1550
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00769652 10_2_00769652
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0079D6A0 10_2_0079D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00729766 10_2_00729766
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007197CA 10_2_007197CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AD9E0 10_2_007AD9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00711AA1 10_2_00711AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00795E80 10_2_00795E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00795F80 10_2_00795F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0072E00A 10_2_0072E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007922E0 10_2_007922E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007B2300 10_2_007B2300
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0077E49F 10_2_0077E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007925F0 10_2_007925F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007866D0 10_2_007866D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0078A6A0 10_2_0078A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AE990 10_2_007AE990
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00792A80 10_2_00792A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0076AB11 10_2_0076AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00796CE0 10_2_00796CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007970D0 10_2_007970D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0077B121 10_2_0077B121
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0078B180 10_2_0078B180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A7200 10_2_007A7200
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0073B3E4 10_2_0073B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AF3C0 10_2_007AF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0079F3A0 10_2_0079F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0079F420 10_2_0079F420
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00787410 10_2_00787410
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A3530 10_2_007A3530
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007B351A 10_2_007B351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0078F500 10_2_0078F500
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AF599 10_2_007AF599
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007B3601 10_2_007B3601
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007A77C0 10_2_007A77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00783790 10_2_00783790
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0073F8E0 10_2_0073F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0078F910 10_2_0078F910
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00797AF0 10_2_00797AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00763AEF 10_2_00763AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0072BAC9 10_2_0072BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00797C50 10_2_00797C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0072BC92 10_2_0072BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0078FDF0 10_2_0078FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process token adjusted: Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: String function: 6C9F9240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: String function: 6CA96F10 appears 728 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 007128E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 007AFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 00711E40 appears 172 times
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2044209367.000000007F8CA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000000.2042094476.00000000009B9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2043797965.00000000028BE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Binary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.dr Binary string: \Device\TfSysMon
Source: tProtect.dll.12.dr Binary string: \Device\TfKbMonPWLCache
Source: classification engine Classification label: mal84.evad.winEXE@116/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9C5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 6_2_6C9C5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00719313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 10_2_00719313
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00723D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00723D66
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00719252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW, 10_2_00719252
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9C5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW, 6_2_6C9C5240
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Program Files (x86)\Windows NT\is-9Q49J.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3224:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1564:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5296:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3176:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:764:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1488:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:768:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6480:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe File created: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Virustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe File read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Process created: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Process created: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20492,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Process created: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20474,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Process created: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20492,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Static file information: File size 8595621 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2113537072.0000000001380000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2113433554.0000000003DB0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 10_2_007957D0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x3439cd
Source: update.vac.6.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.2.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Static PE information: real checksum: 0x0 should be: 0x838234
Source: hrsw.vbc.6.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: tProtect.dll.12.dr Static PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr Static PE information: real checksum: 0x0 should be: 0x3439cd
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe Static PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr Static PE information: section name: .didata
Source: update.vac.2.dr Static PE information: section name: .00cfg
Source: update.vac.2.dr Static PE information: section name: .voltbl
Source: update.vac.2.dr Static PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.5.dr Static PE information: section name: .didata
Source: 7zr.exe.6.dr Static PE information: section name: .sxdata
Source: hrsw.vbc.6.dr Static PE information: section name: .00cfg
Source: hrsw.vbc.6.dr Static PE information: section name: .voltbl
Source: hrsw.vbc.6.dr Static PE information: section name: .8Tk
Source: update.vac.6.dr Static PE information: section name: .00cfg
Source: update.vac.6.dr Static PE information: section name: .voltbl
Source: update.vac.6.dr Static PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9C86EB push ecx; ret 6_2_6C9C86FE
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C870F00 push ss; retn 0001h 6_2_6C870F0A
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA96F10 push eax; ret 6_2_6CA96F2E
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9FB9F4 push 004AC35Ch; ret 6_2_6C9FBA0E
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA97290 push eax; ret 6_2_6CA972BE
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007145F4 push 007BC35Ch; ret 10_2_0071460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AFB10 push eax; ret 10_2_007AFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007AFE90 push eax; ret 10_2_007AFEBE
Source: update.vac.2.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.6.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.6.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe File created: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe File created: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe File created: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Program Files (x86)\Windows NT\7zr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp File created: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\update.vac Jump to dropped file
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5693 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3929 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Window / User API: threadDelayed 648 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Window / User API: threadDelayed 717 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Window / User API: threadDelayed 621 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5OPPK.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-P2CCP.tmp\update.vac Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe API coverage: 7.6 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9BAEC0 FindFirstFileA,FindClose,FindClose, 6_2_6C9BAEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00716868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 10_2_00716868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00717496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 10_2_00717496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00719C60 GetSystemInfo, 10_2_00719C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000002.00000002.2073106693.000000000098E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C843886 NtSetInformationThread 00000000,00000011,00000000,00000000 6_2_6C843886
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9D0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6C9D0181
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007957D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 10_2_007957D0
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9D9D35 mov eax, dword ptr fs:[00000030h] 6_2_6C9D9D35
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9D9D66 mov eax, dword ptr fs:[00000030h] 6_2_6C9D9D66
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9CF17D mov eax, dword ptr fs:[00000030h] 6_2_6C9CF17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9C8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6C9C8CBD
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6C9D0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6C9D0181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: tProtect.dll.12.dr Static PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-LDPLH.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-PB21B.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp Code function: 6_2_6CA97720 cpuid 6_2_6CA97720
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0071AB2A GetSystemTimeAsFileTime, 10_2_0071AB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007B0090 GetVersion, 10_2_007B0090
No contacted IP infos