Windows Analysis Report
#U5b89#U88c5#U52a9#U624b1.0.3.exe

Overview

General Information

Sample name: #U5b89#U88c5#U52a9#U624b1.0.3.exe
renamed because original name is a hash value
Original sample name: 1.0.3.exe
Analysis ID: 1580230
MD5: 3dd1a269e502f7284674c54819e9ad8e
SHA1: f3764c08583b70e6427d8efe97e6daa1582de9a3
SHA256: 9622e99ad30c7b5bef5ad85c34ea80a961f1d5d05dcc9a0083c3fa8a00966228
Tags: exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to hide a thread from the debugger
Found driver which could be used to inject code into processes
Hides threads from debuggers
Loading BitLocker PowerShell Module
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: New Kernel Driver Via SC.EXE
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: C:\Program Files (x86)\Windows NT\hrsw.vbc Virustotal: Detection: 15% Perma Link
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Virustotal: Detection: 6% Perma Link
Source: Submited Sample Integrated Neural Analysis Model: Matched 84.0% probability
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2169234402.0000000002150000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2169131101.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC4AEC0 FindFirstFileA,FindClose, 6_2_6CC4AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 10_2_007C6868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 10_2_007C7496
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2301249737.000000006CC88000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000002.2298504162.0000000004429000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108961550.000000007F95B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108604500.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2110772600.0000000000251000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000000.2123660203.00000000006CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.dr String found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108961550.000000007F95B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108604500.0000000002F90000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000000.2110772600.0000000000251000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000006.00000000.2123660203.00000000006CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr, #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.dr String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: 01 00 00 00 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6CAD3886
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC55120 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle, 6_2_6CC55120
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6CAD3C62
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC55D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 6_2_6CC55D60
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6CAD3D18
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6CAD3D62
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6CAD39CF
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread, 6_2_6CAD3A6A
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD1950: CreateFileA,DeviceIoControl,CloseHandle, 6_2_6CAD1950
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor, 6_2_6CAD4754
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD4754 6_2_6CAD4754
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAE4A27 6_2_6CAE4A27
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC51880 6_2_6CC51880
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC56A43 6_2_6CC56A43
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCB6CE0 6_2_6CCB6CE0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD24DE0 6_2_6CD24DE0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD06D10 6_2_6CD06D10
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCA2EC9 6_2_6CCA2EC9
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD0EEF0 6_2_6CD0EEF0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCDAEEF 6_2_6CCDAEEF
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC88EA1 6_2_6CC88EA1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD1C8D0 6_2_6CD1C8D0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCD4896 6_2_6CCD4896
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD24870 6_2_6CD24870
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCFE810 6_2_6CCFE810
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD16820 6_2_6CD16820
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD26999 6_2_6CD26999
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD18950 6_2_6CD18950
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC88972 6_2_6CC88972
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD06900 6_2_6CD06900
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD1A930 6_2_6CD1A930
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD14AA0 6_2_6CD14AA0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCE0A52 6_2_6CCE0A52
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC90BCA 6_2_6CC90BCA
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD1EBC0 6_2_6CD1EBC0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCFAB90 6_2_6CCFAB90
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCA0B66 6_2_6CCA0B66
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD0E4D0 6_2_6CD0E4D0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD14489 6_2_6CD14489
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCE84AC 6_2_6CCE84AC
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD045D0 6_2_6CD045D0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD0C580 6_2_6CD0C580
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD02580 6_2_6CD02580
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCF2521 6_2_6CCF2521
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD18520 6_2_6CD18520
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD246C0 6_2_6CD246C0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD1E600 6_2_6CD1E600
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC8C7CF 6_2_6CC8C7CF
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD267C0 6_2_6CD267C0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCEC7F3 6_2_6CCEC7F3
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD167A0 6_2_6CD167A0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD0E0E0 6_2_6CD0E0E0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD00020 6_2_6CD00020
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD1C2A0 6_2_6CD1C2A0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD18200 6_2_6CD18200
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD25D90 6_2_6CD25D90
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD03D50 6_2_6CD03D50
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCD7D43 6_2_6CCD7D43
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD09E80 6_2_6CD09E80
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCE1F11 6_2_6CCE1F11
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD178C8 6_2_6CD178C8
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCF589F 6_2_6CCF589F
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD099F0 6_2_6CD099F0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCFDAD0 6_2_6CCFDAD0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD01AA0 6_2_6CD01AA0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCFFA50 6_2_6CCFFA50
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCA540A 6_2_6CCA540A
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD0F5C0 6_2_6CD0F5C0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCCF5EC 6_2_6CCCF5EC
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD096E0 6_2_6CD096E0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD1F640 6_2_6CD1F640
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCFB650 6_2_6CCFB650
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD237C0 6_2_6CD237C0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD29700 6_2_6CD29700
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CCA3092 6_2_6CCA3092
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD0F050 6_2_6CD0F050
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD071F0 6_2_6CD071F0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD0D280 6_2_6CD0D280
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD0D380 6_2_6CD0D380
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD16AF0 6_2_6CD16AF0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD13750 6_2_6CD13750
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008081EC 10_2_008081EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008481C0 10_2_008481C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00858240 10_2_00858240
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00834250 10_2_00834250
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085C3C0 10_2_0085C3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008504C8 10_2_008504C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00838650 10_2_00838650
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00810943 10_2_00810943
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0083C950 10_2_0083C950
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00838C20 10_2_00838C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00854EA0 10_2_00854EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00850E00 10_2_00850E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0084D089 10_2_0084D089
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008210AC 10_2_008210AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00845180 10_2_00845180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008591C0 10_2_008591C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0083D1D0 10_2_0083D1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00851120 10_2_00851120
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085D2C0 10_2_0085D2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008253F3 10_2_008253F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C53CF 10_2_007C53CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0080D496 10_2_0080D496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008554D0 10_2_008554D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085D470 10_2_0085D470
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C1572 10_2_007C1572
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00851550 10_2_00851550
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0084D6A0 10_2_0084D6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00819652 10_2_00819652
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007D9766 10_2_007D9766
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C97CA 10_2_007C97CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085D9E0 10_2_0085D9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C1AA1 10_2_007C1AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00845E80 10_2_00845E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00845F80 10_2_00845F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007DE00A 10_2_007DE00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008422E0 10_2_008422E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00862300 10_2_00862300
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0082E49F 10_2_0082E49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008425F0 10_2_008425F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0083A6A0 10_2_0083A6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008366D0 10_2_008366D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085E990 10_2_0085E990
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00842A80 10_2_00842A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0081AB11 10_2_0081AB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00846CE0 10_2_00846CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008470D0 10_2_008470D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0083B180 10_2_0083B180
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0082B121 10_2_0082B121
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00857200 10_2_00857200
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0084F3A0 10_2_0084F3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085F3C0 10_2_0085F3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007EB3E4 10_2_007EB3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00837410 10_2_00837410
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0084F420 10_2_0084F420
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085F599 10_2_0085F599
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0083F500 10_2_0083F500
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0086351A 10_2_0086351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00853530 10_2_00853530
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00863601 10_2_00863601
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00833790 10_2_00833790
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008577C0 10_2_008577C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007EF8E0 10_2_007EF8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0083F910 10_2_0083F910
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00813AEF 10_2_00813AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00847AF0 10_2_00847AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007DBAC9 10_2_007DBAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00847C50 10_2_00847C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007DBC92 10_2_007DBC92
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0083FDF0 10_2_0083FDF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process token adjusted: Security Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: String function: 6CC89240 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: String function: 6CD26F10 appears 727 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 007C28E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 007C1E40 appears 151 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: String function: 0085FB10 appears 723 times
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.dr Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000000.2107201494.00000000004D9000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108961550.000000007FC5A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe, 00000000.00000003.2108604500.00000000030AE000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Binary or memory string: OriginalFileNameJvZmpUrwOHxhtD.exe vs #U5b89#U88c5#U52a9#U624b1.0.3.exe
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: tProtect.dll.12.dr Binary string: \Device\TfSysMon
Source: tProtect.dll.12.dr Binary string: \Device\TfKbMonPWLCache
Source: classification engine Classification label: mal92.evad.winEXE@137/33@0/0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC55D60 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction, 6_2_6CC55D60
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C9313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 10_2_007C9313
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007D3D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_007D3D66
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C9252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW, 10_2_007C9252
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC55240 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW, 6_2_6CC55240
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Program Files (x86)\Windows NT\is-51JMP.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6468:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6836:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1804:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1372:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:964:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5708:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6268:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6460:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3856:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6908:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6012:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3728:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6464:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6684:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3424:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5684:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe File created: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Virustotal: Detection: 6%
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe File read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Process created: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe"
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Process created: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$1042A,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Process created: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$2040C,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Process created: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp "C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp" /SL5="$1042A,6541320,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Static file information: File size 7495744 > 1048576
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.2169234402.0000000002150000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.2169131101.0000000002F70000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008457D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 10_2_008457D0
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.dr Static PE information: real checksum: 0x0 should be: 0x343ce5
Source: update.vac.6.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: update.vac.2.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr Static PE information: real checksum: 0x0 should be: 0x343ce5
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Static PE information: real checksum: 0x0 should be: 0x72e436
Source: hrsw.vbc.6.dr Static PE information: real checksum: 0x0 should be: 0x372ce7
Source: tProtect.dll.12.dr Static PE information: real checksum: 0x1eb0f should be: 0xfc66
Source: #U5b89#U88c5#U52a9#U624b1.0.3.exe Static PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.0.dr Static PE information: section name: .didata
Source: update.vac.2.dr Static PE information: section name: .00cfg
Source: update.vac.2.dr Static PE information: section name: .voltbl
Source: update.vac.2.dr Static PE information: section name: .8Tk
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp.5.dr Static PE information: section name: .didata
Source: 7zr.exe.6.dr Static PE information: section name: .sxdata
Source: hrsw.vbc.6.dr Static PE information: section name: .00cfg
Source: hrsw.vbc.6.dr Static PE information: section name: .voltbl
Source: hrsw.vbc.6.dr Static PE information: section name: .8Tk
Source: update.vac.6.dr Static PE information: section name: .00cfg
Source: update.vac.6.dr Static PE information: section name: .voltbl
Source: update.vac.6.dr Static PE information: section name: .8Tk
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC586EB push ecx; ret 6_2_6CC586FE
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CB00F00 push ss; retn 0001h 6_2_6CB00F0A
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD26F10 push eax; ret 6_2_6CD26F2E
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC8B9F4 push 004AC35Ch; ret 6_2_6CC8BA0E
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD27290 push eax; ret 6_2_6CD272BE
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C45F4 push 0086C35Ch; ret 10_2_007C460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085FB10 push eax; ret 10_2_0085FB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_0085FE90 push eax; ret 10_2_0085FEBE
Source: update.vac.2.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: hrsw.vbc.6.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: update.vac.6.dr Static PE information: section name: .8Tk entropy: 7.190790923053346
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe File created: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe File created: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\update.vac Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe File created: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Program Files (x86)\Windows NT\7zr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp File created: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\update.vac Jump to dropped file
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6323 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3351 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Window / User API: threadDelayed 595 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Window / User API: threadDelayed 650 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Window / User API: threadDelayed 561 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbc Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\update.vac Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-U1N14.tmp\update.vac Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MRB94.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe API coverage: 7.7 %
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2688 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC4AEC0 FindFirstFileA,FindClose, 6_2_6CC4AEC0
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C6868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW, 10_2_007C6868
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C7496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW, 10_2_007C7496
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007C9C60 GetSystemInfo, 10_2_007C9C60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: #U5b89#U88c5#U52a9#U624b1.0.3.tmp, 00000002.00000002.2138341068.00000000015DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CAD3886 NtSetInformationThread 00000000,00000011,00000000,00000000 6_2_6CAD3886
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC60181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CC60181
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_008457D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount, 10_2_008457D0
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC69D66 mov eax, dword ptr fs:[00000030h] 6_2_6CC69D66
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC69D35 mov eax, dword ptr fs:[00000030h] 6_2_6CC69D35
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC5F17D mov eax, dword ptr fs:[00000030h] 6_2_6CC5F17D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC58CBD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6CC58CBD
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CC60181 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6CC60181

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" Jump to behavior
Source: tProtect.dll.12.dr Static PE information: Found potential injection code
Source: C:\Users\user\AppData\Local\Temp\is-HSI1O.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b1.0.3.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-3G83D.tmp\#U5b89#U88c5#U52a9#U624b1.0.3.tmp Code function: 6_2_6CD27700 cpuid 6_2_6CD27700
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_007CAB2A GetSystemTimeAsFileTime, 10_2_007CAB2A
Source: C:\Program Files (x86)\Windows NT\7zr.exe Code function: 10_2_00860090 GetVersion, 10_2_00860090
No contacted IP infos