Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.4.exe

Overview

General Information

Sample name:	#U5b89#U88c5#U52a9#U624b2.0.4.exe renamed because original name is a hash value
Original sample name:	2.0.4.exe
Analysis ID:	1580394
MD5:	824d18101868c00261fd732e2e713fa6
SHA1:	04df8109561e9a1aed04fa7ed7d4b3c931bde5c7
SHA256:	2e5c530decd37133e50f6b149f634973e54cf555abcb309e829a3e8dcd223724
Tags:	exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to hide a thread from the debugger

Found driver which could be used to inject code into processes

Hides threads from debuggers

Loading BitLocker PowerShell Module

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Query firmware table information (likely to detect VMs)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: New Kernel Driver Via SC.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

#U5b89#U88c5#U52a9#U624b2.0.4.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" MD5: 824D18101868C00261FD732E2E713FA6)

#U5b89#U88c5#U52a9#U624b2.0.4.tmp (PID: 7512 cmdline: "C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1042C,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" MD5: 5F1FEB7EA510D8FB9A35D5802519EBDB)

powershell.exe (PID: 7532 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6148 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

#U5b89#U88c5#U52a9#U624b2.0.4.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT MD5: 824D18101868C00261FD732E2E713FA6)

#U5b89#U88c5#U52a9#U624b2.0.4.tmp (PID: 7712 cmdline: "C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$2044A,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT MD5: 5F1FEB7EA510D8FB9A35D5802519EBDB)

7zr.exe (PID: 7808 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)

conhost.exe (PID: 7836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7zr.exe (PID: 7888 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)

conhost.exe (PID: 7896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7776 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7788 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7960 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7984 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8000 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8024 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8088 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8104 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8156 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8168 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7276 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4216 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2068 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3532 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5492 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4524 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5272 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5760 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7304 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7504 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1196 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1612 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3340 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2168 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1984 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2216 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2464 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2772 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2976 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2884 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4300 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4080 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2616 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4584 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7524 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4676 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4932 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3848 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7788 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7496 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7748 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7948 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7908 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7980 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8040 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8072 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8124 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8132 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 6048 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7268 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7276 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4216 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 332 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5828 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3780 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6864 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7376 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7308 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 752 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 768 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1568 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3508 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1042C,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp, ParentProcessId: 7512, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7532, ProcessName: powershell.exe

Sigma detected: New Kernel Driver Via SC.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7776, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7788, ProcessName: sc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7776, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 7788, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1042C,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp, ParentProcessId: 7512, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7532, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows NT\hrsw.vbc	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\update.vac	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\update.vac	ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.3% probability

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1448557878.0000000002860000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1448478067.00000000034C0000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA6B430 FindFirstFileA,FindClose,FindClose,		6_2_6CA6B430
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00856868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		10_2_00856868

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00857496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

10_2_00857496

Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1601349832.000000006CAA8000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1596647298.0000000003A4E000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr, update.vac.6.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1390211414.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1391080375.000000007EB9B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000000.1392689338.0000000000E71000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000000.1411849175.00000000004CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp.5.dr	String found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1390211414.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1391080375.000000007EB9B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000000.1392689338.0000000000E71000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000000.1411849175.00000000004CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp.5.dr	String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Process information set: 01 00 00 00

Jump to behavior

System Summary

PE file contains section with special chars

Source: update.vac.2.dr	Static PE information: section name: .#.q
Source: hrsw.vbc.6.dr	Static PE information: section name: .#.q
Source: update.vac.6.dr	Static PE information: section name: .#.q

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA75690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,	6_2_6CA75690
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C8F3886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8F3886
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C8F3C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8F3C62
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C8F3D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8F3D18
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C8F3D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8F3D62
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C8F39CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8F39CF
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA762D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,	6_2_6CA762D0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C8F3A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6C8F3A6A

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Code function: 6_2_6C8F1950: CreateFileA,DeviceIoControl,CloseHandle,

6_2_6C8F1950

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Code function: 6_2_6C8F4754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,

6_2_6C8F4754

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C8F4754	6_2_6C8F4754
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C904A27	6_2_6C904A27
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA71DF0	6_2_6CA71DF0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA76FB3	6_2_6CA76FB3
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAD6CE0	6_2_6CAD6CE0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB44DE0	6_2_6CB44DE0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB26D10	6_2_6CB26D10
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAA8EA1	6_2_6CAA8EA1
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAFAEEF	6_2_6CAFAEEF
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB2EEF0	6_2_6CB2EEF0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAC2EC9	6_2_6CAC2EC9
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAF4896	6_2_6CAF4896
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB3C8D0	6_2_6CB3C8D0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB36820	6_2_6CB36820
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB1E810	6_2_6CB1E810
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB44870	6_2_6CB44870
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB46999	6_2_6CB46999
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB3A930	6_2_6CB3A930
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB4A91A	6_2_6CB4A91A
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB26900	6_2_6CB26900
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAA8972	6_2_6CAA8972
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB38950	6_2_6CB38950
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB34AA0	6_2_6CB34AA0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB4AA00	6_2_6CB4AA00
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB00A52	6_2_6CB00A52
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB1AB90	6_2_6CB1AB90
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAB0BCA	6_2_6CAB0BCA
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB3EBC0	6_2_6CB3EBC0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAC0B66	6_2_6CAC0B66
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB084AC	6_2_6CB084AC
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB34489	6_2_6CB34489
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB2E4D0	6_2_6CB2E4D0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB2C580	6_2_6CB2C580
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB22580	6_2_6CB22580
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB245D0	6_2_6CB245D0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB12521	6_2_6CB12521
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB38520	6_2_6CB38520
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB446C0	6_2_6CB446C0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB3E600	6_2_6CB3E600
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB367A0	6_2_6CB367A0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB0C7F3	6_2_6CB0C7F3
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAAC7CF	6_2_6CAAC7CF
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB467C0	6_2_6CB467C0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB2E0E0	6_2_6CB2E0E0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB20020	6_2_6CB20020
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB3C2A0	6_2_6CB3C2A0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB38200	6_2_6CB38200
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB45D90	6_2_6CB45D90
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB23D50	6_2_6CB23D50
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAF7D43	6_2_6CAF7D43
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB29E80	6_2_6CB29E80
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB01F11	6_2_6CB01F11
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB1589F	6_2_6CB1589F
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB378C8	6_2_6CB378C8
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB299F0	6_2_6CB299F0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB21AA0	6_2_6CB21AA0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB1DAD0	6_2_6CB1DAD0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB1FA50	6_2_6CB1FA50
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAC540A	6_2_6CAC540A
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAEF5EC	6_2_6CAEF5EC
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB2F5C0	6_2_6CB2F5C0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB296E0	6_2_6CB296E0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB1B650	6_2_6CB1B650
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB3F640	6_2_6CB3F640
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB437C0	6_2_6CB437C0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB49700	6_2_6CB49700
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAC3092	6_2_6CAC3092
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB2F050	6_2_6CB2F050
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB271F0	6_2_6CB271F0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB2D280	6_2_6CB2D280
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB2D380	6_2_6CB2D380
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB36AF0	6_2_6CB36AF0
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB33750	6_2_6CB33750
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008981EC	10_2_008981EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D81C0	10_2_008D81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E8240	10_2_008E8240
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008C4250	10_2_008C4250
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008EC3C0	10_2_008EC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E04C8	10_2_008E04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008C8650	10_2_008C8650
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008A0943	10_2_008A0943
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008CC950	10_2_008CC950
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008C8C20	10_2_008C8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E4EA0	10_2_008E4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E0E00	10_2_008E0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008DD089	10_2_008DD089
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008B10AC	10_2_008B10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D5180	10_2_008D5180
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E91C0	10_2_008E91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008CD1D0	10_2_008CD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E1120	10_2_008E1120
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008ED2C0	10_2_008ED2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008553CF	10_2_008553CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008B53F3	10_2_008B53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0089D496	10_2_0089D496
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E54D0	10_2_008E54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008ED470	10_2_008ED470
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E1550	10_2_008E1550
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00851572	10_2_00851572
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008DD6A0	10_2_008DD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008A9652	10_2_008A9652
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008597CA	10_2_008597CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00869766	10_2_00869766
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008ED9E0	10_2_008ED9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00851AA1	10_2_00851AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D5E80	10_2_008D5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D5F80	10_2_008D5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0086E00A	10_2_0086E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D22E0	10_2_008D22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008F2300	10_2_008F2300
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008BE49F	10_2_008BE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D25F0	10_2_008D25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008CA6A0	10_2_008CA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008C66D0	10_2_008C66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008EE990	10_2_008EE990
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D2A80	10_2_008D2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008AAB11	10_2_008AAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D6CE0	10_2_008D6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D70D0	10_2_008D70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008CB180	10_2_008CB180
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008BB121	10_2_008BB121
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E7200	10_2_008E7200
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008DF3A0	10_2_008DF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008EF3C0	10_2_008EF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0087B3E4	10_2_0087B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008C7410	10_2_008C7410
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008DF420	10_2_008DF420
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008EF599	10_2_008EF599
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008CF500	10_2_008CF500
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008F351A	10_2_008F351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E3530	10_2_008E3530
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008F3601	10_2_008F3601
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008C3790	10_2_008C3790
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008E77C0	10_2_008E77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0087F8E0	10_2_0087F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008CF910	10_2_008CF910
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0086BAC9	10_2_0086BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008A3AEF	10_2_008A3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D7AF0	10_2_008D7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0086BC92	10_2_0086BC92
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008D7C50	10_2_008D7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008CFDF0	10_2_008CFDF0

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: String function: 6CB46F10 appears 728 times
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: String function: 6CAA9240 appears 53 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 008528E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 008EFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 00851E40 appears 171 times

Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe	Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.5.dr	Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.dr	Static PE information: Number of sections : 11 > 10

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000000.1388426944.0000000000169000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameBhuQ1buY6k.exe vs #U5b89#U88c5#U52a9#U624b2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1391080375.000000007EE9A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameBhuQ1buY6k.exe vs #U5b89#U88c5#U52a9#U624b2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1390211414.0000000002D1E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameBhuQ1buY6k.exe vs #U5b89#U88c5#U52a9#U624b2.0.4.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe	Binary or memory string: OriginalFileNameBhuQ1buY6k.exe vs #U5b89#U88c5#U52a9#U624b2.0.4.exe

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tProtect.dll.12.dr	Binary string: \Device\TfSysMon
Source: tProtect.dll.12.dr	Binary string: \Device\TfKbMonPWLCache

Source: classification engine

Classification label: mal88.evad.winEXE@144/33@0/0

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA762D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,	6_2_6CA762D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00859313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	10_2_00859313
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00863D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00863D66

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00859252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

10_2_00859252

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Code function: 6_2_6CA757B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,

6_2_6CA757B0

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

File created: C:\Program Files (x86)\Windows NT\is-4KD5J.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7252:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2660:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7836:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3772:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4936:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1848:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5616:120:WilError_03

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe

File created: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp

Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe

File read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Process created: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1042C,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe"
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$2044A,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Process created: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$1042C,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Process created: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp "C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$2044A,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe

Static file information: File size 6130073 > 1048576

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_008D57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

10_2_008D57D0

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe	Static PE information: real checksum: 0x0 should be: 0x5dc5ed
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.5.dr	Static PE information: real checksum: 0x0 should be: 0x343936
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x343936
Source: update.vac.6.dr	Static PE information: real checksum: 0x0 should be: 0x378c79
Source: update.vac.2.dr	Static PE information: real checksum: 0x0 should be: 0x378c79
Source: hrsw.vbc.6.dr	Static PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.12.dr	Static PE information: real checksum: 0x1eb0f should be: 0xfc66

Source: #U5b89#U88c5#U52a9#U624b2.0.4.exe	Static PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.0.dr	Static PE information: section name: .didata
Source: update.vac.2.dr	Static PE information: section name: .00cfg
Source: update.vac.2.dr	Static PE information: section name: .voltbl
Source: update.vac.2.dr	Static PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp.5.dr	Static PE information: section name: .didata
Source: 7zr.exe.6.dr	Static PE information: section name: .sxdata
Source: hrsw.vbc.6.dr	Static PE information: section name: .00cfg
Source: hrsw.vbc.6.dr	Static PE information: section name: .voltbl
Source: hrsw.vbc.6.dr	Static PE information: section name: .#.q
Source: update.vac.6.dr	Static PE information: section name: .00cfg
Source: update.vac.6.dr	Static PE information: section name: .voltbl
Source: update.vac.6.dr	Static PE information: section name: .#.q

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA78C5B push ecx; ret	6_2_6CA78C6E
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6C920F00 push ss; retn 0001h	6_2_6C920F0A
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB46F10 push eax; ret	6_2_6CB46F2E
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CAAB9F4 push 004AC35Ch; ret	6_2_6CAABA0E
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CB47290 push eax; ret	6_2_6CB472BE
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008545F4 push 008FC35Ch; ret	10_2_0085460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008EFB10 push eax; ret	10_2_008EFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_008EFE90 push eax; ret	10_2_008EFEBE

Source: update.vac.2.dr	Static PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.6.dr	Static PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.6.dr	Static PE information: section name: .#.q entropy: 7.193027440134885

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	File created: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\update.vac	Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe	File created: C:\Program Files (x86)\Windows NT\tProtect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Program Files (x86)\Windows NT\7zr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	File created: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	File created: C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\update.vac	Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5754	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3933	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Window / User API: threadDelayed 666	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Window / User API: threadDelayed 690	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Window / User API: threadDelayed 643	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\update.vac	Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\_isetup\_setup64.tmp	Jump to dropped file

Source: C:\Program Files (x86)\Windows NT\7zr.exe

API coverage: 7.7 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7764

Thread sleep time: -5534023222112862s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA6B430 FindFirstFileA,FindClose,FindClose,		6_2_6CA6B430
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00856868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		10_2_00856868

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00857496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

10_2_00857496

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00859C60 GetSystemInfo,

10_2_00859C60

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000002.1420206614.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000002.1420206614.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\<

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Code function: 6_2_6C8F3886 NtSetInformationThread 00000000,00000011,00000000,00000000

6_2_6C8F3886

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Code function: 6_2_6CA806F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_6CA806F1

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_008D57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

10_2_008D57D0

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA7F6ED mov eax, dword ptr fs:[00000030h]	6_2_6CA7F6ED
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA8A2A5 mov eax, dword ptr fs:[00000030h]	6_2_6CA8A2A5
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA8A2D6 mov eax, dword ptr fs:[00000030h]	6_2_6CA8A2D6

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA806F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_6CA806F1
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Code function: 6_2_6CA7922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_6CA7922D

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"			Jump to behavior

Found driver which could be used to inject code into processes

Source: tProtect.dll.12.dr

Static PE information: Found potential injection code

Source: C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Code function: 6_2_6CB47720 cpuid

6_2_6CB47720

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_0085AB2A GetSystemTimeAsFileTime,

10_2_0085AB2A

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_008F0090 GetVersion,

10_2_008F0090

Source: #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000002.1591724127.0000000000983000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: C:\Program Files\Windows Defender\MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	431 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	111 Process Injection	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	2 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	25 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner
C:\Program Files (x86)\Windows NT\7zr.exe	0%	ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc	24%	ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll	9%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\update.vac	24%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\update.vac	24%	ReversingLabs

Name	Source	Malicious	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	#U5b89#U88c5#U52a9#U624b2.0.4.exe	false	high
https://www.remobjects.com/ps	#U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1390211414.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1391080375.000000007EB9B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000000.1392689338.0000000000E71000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000000.1411849175.00000000004CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp.5.dr	false	high
https://www.innosetup.com/	#U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1390211414.0000000002C00000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.exe, 00000000.00000003.1391080375.000000007EB9B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000002.00000000.1392689338.0000000000E71000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp, 00000006.00000000.1411849175.00000000004CD000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.4.tmp.5.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580394
Start date and time:	2024-12-24 13:01:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	110
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	#U5b89#U88c5#U52a9#U624b2.0.4.exe renamed because original name is a hash value
Original Sample Name:	2.0.4.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@144/33@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 28 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.4.exe

Simulations

Behavior and APIs

Time	Type	Description
07:02:06	API Interceptor	1x Sleep call for process: #U5b89#U88c5#U52a9#U624b2.0.4.tmp modified
07:02:09	API Interceptor	40x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Windows NT\7zr.exe	#U5b89#U88c5#U52a9#U624b2.0.2.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b2.0.3.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b2.0.1.exe	Get hash	malicious	Unknown	Browse
	cVyexkZjrG.exe	Get hash	malicious	Unknown	Browse
	cVyexkZjrG.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.3.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.3.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Windows NT\7zr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	831200
Entropy (8bit):	6.671005303304742
Encrypted:	false
SSDEEP:	24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
MD5:	84DC4B92D860E8AEA55D12B1E87EA108
SHA1:	56074A031A81A2394770D4DA98AC01D99EC77AAD
SHA-256:	BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
SHA-512:	CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse Filename: cVyexkZjrG.exe, Detection: malicious, Browse Filename: cVyexkZjrG.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.\| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..\| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\file.bin (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	data
Category:	dropped
Size (bytes):	1372592
Entropy (8bit):	7.999861765609051
Encrypted:	true
SSDEEP:	24576:2kMb3vsiC+gx2uaeFPJSyOODttN98lqcaSe6IblRJRyfDcKNbSbm:2BLSjjTdOO/N981He66RJRADqm
MD5:	13E2444DA7092C99CD5B7D74CAF035A3
SHA1:	127F47FDBA8D8CCD5515AEF760DFFBBF4B8AE75F
SHA-256:	9CFB0AE92EF977DA9735DB02DC5BC51053B329C0FC7E1592655C4494D20C097B
SHA-512:	A6C9F4C85CBA1DF6C41AC03AA2F9076095B4A710FD344AE4C29A183B17947AC69A13293B6371B09EC937150DC0A5663B38A36E97F4621A172638EAFA001140F6
Malicious:	false
Preview:	.@S.....@...................=.z'........#.1=..GD.]KU......8~zzt>..,.D.{"..s...).L..FG}o...!x-..-.<b:..;..>.m(.fKj.I.'%.SKy$q...T.u....ohCy.h.?c....P"G.~..~v...9....@.<aK...~9cD7..O...M..u%F..nN^...vq}/..A.B....$fV..lpjX.=d....i..=..u...p..a.N.Fv.wk..Y..^........$...l.a...+.V.-.y..Jm........V..AI.j..8.#......i..n...EpZ...(.)...v..>.El.(F..?...._.. ......^J.....F(.....U.`."'-.."?.$.`0.L:...!.....B.RE8d&..x...k.q......."...4.6O$NE./.Fr.4.....V..$..v.2....X9.g.0.0;.,..$.5....9.O.:.;.0Gj..z.......+.B..........t.:F..YH(.Y..$......e...k......U.u..n._.3h..!..V...zC.......S+)..wVI.j....Y1F.....H.`DT=&di ....q~.]....r.._\9/.Bo..l..r5..N.{......E..'x0.PR!.o....].y\|<.....G....2.A.y....3kL$../........@N.W]...Ls..5{X.dm.S7.J.N\|.P.9..u.g.^...S....v7E..m.u.r.N+.c.....[...^G.@..."f......r\}'.r..<NG.......2..i{xR.A.._Z0$.....Ol.......ixY.....;.2T#.*..l.AR.G+].X...:.3.<.?....x.... ..%...]P.......1]`,.n..g.._.%..1z9I.....,.Y.7.T5.h.-..6'2NP.....s..p$.;U

C:\Program Files (x86)\Windows NT\hrsw.vbc

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606016
Entropy (8bit):	7.0063494494702985
Encrypted:	false
SSDEEP:	49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
MD5:	95ACD5631A9131DB1FD066565AFC9A67
SHA1:	8E9473BD632FF0F57FC34EECAC17174341D80D94
SHA-256:	EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
SHA-512:	70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\is-4KD5J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	data
Category:	dropped
Size (bytes):	1372592
Entropy (8bit):	7.999861765609051
Encrypted:	true
SSDEEP:	24576:2kMb3vsiC+gx2uaeFPJSyOODttN98lqcaSe6IblRJRyfDcKNbSbm:2BLSjjTdOO/N981He66RJRADqm
MD5:	13E2444DA7092C99CD5B7D74CAF035A3
SHA1:	127F47FDBA8D8CCD5515AEF760DFFBBF4B8AE75F
SHA-256:	9CFB0AE92EF977DA9735DB02DC5BC51053B329C0FC7E1592655C4494D20C097B
SHA-512:	A6C9F4C85CBA1DF6C41AC03AA2F9076095B4A710FD344AE4C29A183B17947AC69A13293B6371B09EC937150DC0A5663B38A36E97F4621A172638EAFA001140F6
Malicious:	false
Preview:	.@S.....@...................=.z'........#.1=..GD.]KU......8~zzt>..,.D.{"..s...).L..FG}o...!x-..-.<b:..;..>.m(.fKj.I.'%.SKy$q...T.u....ohCy.h.?c....P"G.~..~v...9....@.<aK...~9cD7..O...M..u%F..nN^...vq}/..A.B....$fV..lpjX.=d....i..=..u...p..a.N.Fv.wk..Y..^........$...l.a...+.V.-.y..Jm........V..AI.j..8.#......i..n...EpZ...(.)...v..>.El.(F..?...._.. ......^J.....F(.....U.`."'-.."?.$.`0.L:...!.....B.RE8d&..x...k.q......."...4.6O$NE./.Fr.4.....V..$..v.2....X9.g.0.0;.,..$.5....9.O.:.;.0Gj..z.......+.B..........t.:F..YH(.Y..$......e...k......U.u..n._.3h..!..V...zC.......S+)..wVI.j....Y1F.....H.`DT=&di ....q~.]....r.._\9/.Bo..l..r5..N.{......E..'x0.PR!.o....].y\|<.....G....2.A.y....3kL$../........@N.W]...Ls..5{X.dm.S7.J.N\|.P.9..u.g.^...S....v7E..m.u.r.N+.c.....[...^G.@..."f......r\}'.r..<NG.......2..i{xR.A.._Z0$.....Ol.......ixY.....;.2T#.*..l.AR.G+].X...:.3.<.?....x.... ..%...]P.......1]`,.n..g.._.%..1z9I.....,.Y.7.T5.h.-..6'2NP.....s..p$.;U

C:\Program Files (x86)\Windows NT\is-U16QK.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	1122527
Entropy (8bit):	7.999876279585022
Encrypted:	true
SSDEEP:	24576:dlXGATpPsSoQPBKfqOMpMPpEuO/GoVuLr1JJLqbNGt:vWATtsniOC5xqINGt
MD5:	B3AD8FA0868DACAD08D5437F30AC2FA1
SHA1:	FD04617E2774C1C6CF2606CFA67E0AB1E3AF51E5
SHA-256:	CC7BA22A1B12BC01EFA6EB6BB36BD78217D639BB1DA81DA49B2D19791B05C97E
SHA-512:	699420BAFA2ED1EC0C4ED5F375EABBF74AAB13E068926C498F09252AD89674875A1F079AA014E1E2E2B78850A81766875F98E79D036904E6380F38BA96976091
Malicious:	true
Preview:	...i/=.@..<.......K.....<.`y......M...$.4..u.3.1...../q.......dW....F*.....P..3.......x.s.bc2O..:?.F.Y...WWW.....W..x%i...^.P.9.....e.......@w.&.U....+..6.H...>...0..6T....Dc.R.p.t.....Z..2n.F)./.\|.57.....nF.B.v-f.7..$..F.?...N..)z....Dwe`...Y....z.!.F...S;..g..G...V'.~n+.ba.Y.g.....z.i..L"l....o.z....sF%E..........x.U.N....-.R~...,.T.Si.`-.&y[..D.N....w?......I.."......6N.....C.u.cd./.}.x...I......g.m\..h.:.Q...B.....WG2.`..4Z.......b.....M.o...u.$<V.p..k.....Y.[$Uj..X.....u.pVq.-9...-..f(....(+.<..2.<..x....._jp..O.Y...P..7.*.C..Dyf..TD...sZC.L.\|.B..V.a......... ...Dl..oE...~.3@<..:m0.....\:.f.r.B6.3..........g5._.^....Z.llF.....$...X.E6.Xe)...]v\....HM.............\P01c..%5y.+..W..YF..E>.p O..Y...w?..J..<....... ).U...j.%#3...Cv.>./.nA..b......'..a{\|.....!..=........".w3U...e........l+.A}.I.n9TL....`..m.).CX....pl.]/.q[+....'..a..c...>u..E..Z....Q....A.W.....2.N......]..&.;..^8.$...C...eh....g..l.........U...FR..dQ\|-..P.f.

C:\Program Files (x86)\Windows NT\locale.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	56530
Entropy (8bit):	7.997218177041297
Encrypted:	true
SSDEEP:	768:bFT8dTObt1UzruZjpqVnCUjSzTi1AbkiaQXFQo5POZZJDkFLYTELoETZt6IhO5U:xKKt1U+uHjSzTi17QXfm/gF2ETA5U
MD5:	34186AA3062BA60A4C997F9C1004A570
SHA1:	450376B4EAC800CA98B7B0F06AD93DE4BF058A4F
SHA-256:	3C911A027BA4EF1F78B2A48944303D73DBD1CD449EE0B388EA2146E05F6A5D6E
SHA-512:	B5B4A6B65EF8C786A40E4A914A2ACB8036175F50D7B55CC68CF25F0C87F1C48E8ADE25755037A00579D583FEF23E1DB54D720348AD43E2CC36CE46EF2C6A1361
Malicious:	false
Preview:	.@S.....[.t\| ..............)...a.E(.H1....l...U.\|..W91CH...q...X.i.[..!..,e...HO<>.\|.&<....Y.2....dz....2.GJq`m4...q.....^..=....~"..:d...(,...o6.#...2..9.z.......D.}.b..Q`nO.p..._.f...+...I...T...n.......#..+.}.9...g..!.%jwrEb.qE..C...U......n..l l.../.y.s....a.J<.}........i..r.u.q..F>_.......`....+........l..c6..ML.?u53..F...xD.&!I..I..)...@.F.....J...LY.p(..s>j(..C.].zz....yi.......#UA..i.\9....V.. .Syl..aF.(..T...r\|j...rJ..r!..~o...%..T.../...".OP....FSQb.n.....;Z.J]..5...]..~.m.M3.lH...l.....8.\.'T[.t0....f.P.g........Z.(.@..P.....}.S.<X.G.[{..^...q..P.:.v..O..D..~y,R3.....Y]........}YH...8.v.'Hf.a.9...(....<1P.0..E~.?.H_N...g.w......OMs.z.,.......{CW...N.B..@"{...Qn..]...gD...+~..O&C.....Q.z...........M.js..R ........a.#.I......0.8A.>$R....I..}.A...3......{8J.F._....)N2..8..6..3K..v ....i..Z.5..4....K#.<....#.Bn.$.._.".Az.X...e......./......e.6>..d!.v........7Xl..f\}.: ..j..D.,\|......v.r.._$t....s..m...X.6.......%.

C:\Program Files (x86)\Windows NT\locale.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	56530
Entropy (8bit):	7.997218177041301
Encrypted:	true
SSDEEP:	1536:5qt3xRyiDQT63RriabdPfa9P/NVhJ4HbFD3HrWL:5qX8AdiabdnaJlvJcbFDr0
MD5:	B668EDD4A3E4F2F8CE3332FAAB1533E5
SHA1:	0899B770D8FFD3816D5CC40D734B786BEAFC5FB0
SHA-256:	64E6660AD0767803AE1FEB3B34913252EF4A0A6D81ACE914D7D763D66B17E444
SHA-512:	F53F01A084BB3EE02E248DE539AC1484DD7EEDD4CA771724C766C7B0949559C3423C42FE6C5122930BD77FB76A77D033D733EBADFACE1C39C81C257985343FFE
Malicious:	false
Preview:	7z..'...............2........'.a.[..5L..A....u:1........!K.w.7:7C.V.8N...p.s..e......A..P......."...5d...Jb...O........z.C.?.,.F.l.Q.....6..zjq...:..X..e0.,.._.U...g.y..\.y.......y;..6...&.{-2...(R..r...sk>I$.~..Bw{..i.u.W.._..J.i......E..R.}Yt....VJ.]n..Y......<:"NN.5.._.ZV.cE..h.=...).......0fC....X.j..b.....!.P.....Rn........>....?..Hm..:..'D.B...5/.s'<.>......A...G\...d..K..+..]./..?P...V?.j..v.3.(...w...45....FF.:..J............Nk..Wo.$..R.GfP..KA.#..H;.G.....S.G.*.#.a....[......."..n..F...._.d.+T.v.X.G..-..4..7.)...PRzgh.z+3..t.j.?..gA..S.%.c..0.e.....s&4..K.y....C._w.c.}....P.\|K.h.\|".6...dM/.{....+.v.y...h........i...Vq.....R.6...;.i..A..Q.-.d/.....J...1.?..T(..BAn..,Z...jo...c\|&.W...n- 3...GP.rB[@)2r/"]D...@..w...[n".U0:...H..Z.sb..-i#.......=.3...v..Ep....\...i..5.#R.{T....C$.l..e..,9..9.o.....}.y~.3)...m....".6....lE.;.8....f.gr/n.x...>...E....<.!.....T..rLM....F..Q....a..y..^.<.rS:1....Q..(`~d~.:B..'O.7...V3+sK.oL..

C:\Program Files (x86)\Windows NT\locale2.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	56546
Entropy (8bit):	7.996966859255975
Encrypted:	true
SSDEEP:	1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
MD5:	CEA69F993E1CE0FB945A98BF37A66546
SHA1:	7114365265F041DA904574D1F5876544506F89BA
SHA-256:	E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
SHA-512:	4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
Malicious:	false
Preview:	.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.\|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~.....'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z\|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p..bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm....E....2........s. R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

C:\Program Files (x86)\Windows NT\locale2.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	56546
Entropy (8bit):	7.996966859255979
Encrypted:	true
SSDEEP:	1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
MD5:	4CB8B7E557C80FC7B014133AB834A042
SHA1:	C42E2C861FF3ED0E6A11824E12F67A344E8F783D
SHA-256:	3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
SHA-512:	A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
Malicious:	false
Preview:	7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..\|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.\|. a.:..5.....b.....2......W.....Z.pS.b/.F.;\|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f........@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..\| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..\|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

C:\Program Files (x86)\Windows NT\locale3.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	31890
Entropy (8bit):	7.99402458740637
Encrypted:	true
SSDEEP:	768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
MD5:	8622FC7228777F64A47BD6C61478ADD9
SHA1:	9A7C15F341835F83C96DA804DC1E21FDA696BB56
SHA-256:	4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
SHA-512:	71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
Malicious:	false
Preview:	.@S......................xi.\ .~.#..:}..fy?koGL^\|kH.G...........x....Tg.Y.t....~^..".L.41.....R..\|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.\|a.]..@DP".`Rz}...\|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........\|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C.......V..\|..2.J..i.r....\|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ...8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

C:\Program Files (x86)\Windows NT\locale3.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	31890
Entropy (8bit):	7.99402458740637
Encrypted:	true
SSDEEP:	768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
MD5:	CE6034AFC63BB42F4E0D6CD897DFBCB8
SHA1:	49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
SHA-256:	7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
SHA-512:	7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
Malicious:	false
Preview:	7z..'....oYU@\|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc.o@\|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB\|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

C:\Program Files (x86)\Windows NT\locale4.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	74960
Entropy (8bit):	7.99759370165655
Encrypted:	true
SSDEEP:	1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
MD5:	950338D50B95A25F494EE74E97B7B7A9
SHA1:	F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
SHA-256:	87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
SHA-512:	9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
Malicious:	false
Preview:	.@S........................F.T....r...z'I.N..].u.e.e..y.....<\|r.:v.....J.i...L.Sv.....Nz..,..K.sI./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X\|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.......9;..R...VL.]..%j.....TM.4.....P.L...

C:\Program Files (x86)\Windows NT\locale4.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	74960
Entropy (8bit):	7.997593701656546
Encrypted:	true
SSDEEP:	1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
MD5:	059BA7C31F3E227356CA5F29E4AA2508
SHA1:	FA3DC96A3336903ED5E6105A197A02E618E3F634
SHA-256:	1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
SHA-512:	E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
Malicious:	false
Preview:	7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7....!!.(.....Gc..........Dg....Z..#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.\|T.5..V...E\|...q.........].}bl...y.....;...q....-a..RP3..L~k....\|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

C:\Program Files (x86)\Windows NT\locale7.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	29730
Entropy (8bit):	7.994290657653607
Encrypted:	true
SSDEEP:	768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
MD5:	2C3E0D1FB580A8F0855355CC7D8D4F7A
SHA1:	177E4A0B7C4BC8ACE0F46127398808E669222515
SHA-256:	9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
SHA-512:	B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
Malicious:	false
Preview:	.@S....z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#\|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.\|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

C:\Program Files (x86)\Windows NT\locale7.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	29730
Entropy (8bit):	7.994290657653608
Encrypted:	true
SSDEEP:	768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
MD5:	A9C8A3E00692F79E1BA9693003F85D18
SHA1:	5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
SHA-256:	B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
SHA-512:	8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
Malicious:	false
Preview:	7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?......XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...\|Ynic......ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..\|..)f...C....$...E....H"x..F....wW...3"......Y.Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$.....&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

C:\Program Files (x86)\Windows NT\res.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	1372592
Entropy (8bit):	7.999861765609055
Encrypted:	true
SSDEEP:	24576:RXC0Z1CE1cj75fLWLdnGXl5NToCVCKJandcOFA4pzFae0drtI8:NC0ytfUusCEKMnm4rJGrt7
MD5:	C4F802091F7963ED5DE1360E7B79177B
SHA1:	314320F5F9B1D26478D53D614460820F23E3F80A
SHA-256:	9FB179273573C37A0155795E11CB301B193D4A6D26E9894CB6E324F27EAA91D6
SHA-512:	C12610102BAC3C167A80E4E5C60FB23AB04A2266ADE87F72918B885E6EF5436984CEDEF508CEECFDDD22FD155F371BAE0A1207B1C8ABBEBF14DBE04161741460
Malicious:	false
Preview:	7z..'...4.].P.......@....... Sl.c..e.."Lk1HJL....ND......o...VH~.......2. ....Co..jj.^.\......k`..u........a..7.............f.C. ..Z@R.....P.Y.<..l..Z.ul........~O./...a......G.N#v...,...g.....;.....x&.+...d'...........R......}0.5:/....#.D...t5.{..O..)...~o_.tE..g.X.g.k.H..P,Y..[.y`n...../.L..T.\.V.L.kY....u.....v......."....f..I..\..'..i.2..LLMJ....q..RV.. .t.....X...vN....C.....p.1...\|E.....'#u.7.d.<......'.7t.<.#\.....p....UX.jb.]%....;.1L@rF..C...\..X.G#{...f+tc@.0.:...j...%L.Ij.3`U=S...j..T....v..0.,SN.....$.. ?Z.V.n.....^i6."D..>....P.......J.F....#aGE^Z......#....hW.p.....X@y#.F.......EN6.....cj/5..d..../..\|@.U-G..ZU....kvBZ..B..n.....S].R.....2FU2.--V]p.../...\|......{f.eD.....S....=..s".....O..L....5Y....{.e.I.kM...p>2....J..e..)..+.B.N...AAg..M.h.z.D3.O#......#..0.....-B?.0P.4.......u....d..>. ..."bo.d.....`P..;.w..........i....@.[.}.j.C.Q-.........<L6T...a*@...V...5{.&F.gE.'....c0p..{.8.1. .O...B.k.I.v~....{Qb....w....

C:\Program Files (x86)\Windows NT\tProtect.dll

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63640
Entropy (8bit):	6.482810107683822
Encrypted:	false
SSDEEP:	768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
MD5:	B4EAACCE30F51EAF2A36CEA680B45A66
SHA1:	94493D7739C5EE7346DA31D9523404D62682B195
SHA-256:	15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
SHA-512:	16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.\|XN4.5N.\|HN6.5NA'XN6.5N.\|DN0.5N.\|IN6.5N.\|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\task.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.347034835751068
Encrypted:	false
SSDEEP:	48:dXKLzDlnlL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDlncwhldOVQOj6dKbKsz7
MD5:	062A3AACBCFA04B7986F0AAB0F7767C0
SHA1:	FD7A28C2D6B030B8E15622CEFFD824224F684973
SHA-256:	F46F7F3F8B4763B62B3B2E02E24B0300E3AB741DD3770F93FCFE7D1A26B1C46D
SHA-512:	9F0435883F31D801EFEC0A378473566F68CDD0DA9FBC36F2B431380D8E852E297891BD3AFC952E90CC5ED01C9041C79402FD774BFE98B036D73F9FDD65771B79
Malicious:	false
Preview:	<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAv

C:\Program Files (x86)\Windows NT\trash

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	DOS executable (COM, 0x8C-variant)
Category:	dropped
Size (bytes):	1122527
Entropy (8bit):	7.999876279585022
Encrypted:	true
SSDEEP:	24576:dlXGATpPsSoQPBKfqOMpMPpEuO/GoVuLr1JJLqbNGt:vWATtsniOC5xqINGt
MD5:	B3AD8FA0868DACAD08D5437F30AC2FA1
SHA1:	FD04617E2774C1C6CF2606CFA67E0AB1E3AF51E5
SHA-256:	CC7BA22A1B12BC01EFA6EB6BB36BD78217D639BB1DA81DA49B2D19791B05C97E
SHA-512:	699420BAFA2ED1EC0C4ED5F375EABBF74AAB13E068926C498F09252AD89674875A1F079AA014E1E2E2B78850A81766875F98E79D036904E6380F38BA96976091
Malicious:	true
Preview:	...i/=.@..<.......K.....<.`y......M...$.4..u.3.1...../q.......dW....F*.....P..3.......x.s.bc2O..:?.F.Y...WWW.....W..x%i...^.P.9.....e.......@w.&.U....+..6.H...>...0..6T....Dc.R.p.t.....Z..2n.F)./.\|.57.....nF.B.v-f.7..$..F.?...N..)z....Dwe`...Y....z.!.F...S;..g..G...V'.~n+.ba.Y.g.....z.i..L"l....o.z....sF%E..........x.U.N....-.R~...,.T.Si.`-.&y[..D.N....w?......I.."......6N.....C.u.cd./.}.x...I......g.m\..h.:.Q...B.....WG2.`..4Z.......b.....M.o...u.$<V.p..k.....Y.[$Uj..X.....u.pVq.-9...-..f(....(+.<..2.<..x....._jp..O.Y...P..7.*.C..Dyf..TD...sZC.L.\|.B..V.a......... ...Dl..oE...~.3@<..:m0.....\:.f.r.B6.3..........g5._.^....Z.llF.....$...X.E6.Xe)...]v\....HM.............\P01c..%5y.+..W..YF..E>.p O..Y...w?..J..<....... ).U...j.%#3...Cv.>./.nA..b......'..a{\|.....!..=........".w3U...e........l+.A}.I.n9TL....`..m.).CX....pl.]/.q[+....'..a..c...>u..E..Z....Q....A.W.....2.N......]..&.;..^8.$...C...eh....g..l.........U...FR..dQ\|-..P.f.

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllul/nq/llh:NllUyt
MD5:	AB80AD9A08E5B16132325DF5584B2CBE
SHA1:	F7411B7A5826EE6B139EBF40A7BEE999320EF923
SHA-256:	5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
SHA-512:	9DE2FB33C0EA36E1E174850AD894659D6B842CD624C1A543B2D391C8EBC74719F47FA88D0C4493EA820611260364C979C9CDF16AF1C517132332423CA0CB7654
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_btfuky1j.nai.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0uiwl12.a5h.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwkdcabi.g51.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xxglzpcw.taj.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Download File

Process:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530564693555266
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	5F1FEB7EA510D8FB9A35D5802519EBDB
SHA1:	76DFFF4701B450FDB9F1636C813CED8A2597C393
SHA-256:	478B5ED05CCC5C8760F4F9F8E9A805C0533166EC4C6068DD072EFCB3B83AD914
SHA-512:	86113DA5A1F402E3ECEA30BD21B6DBECFE2FC128206D622683EC5FA0B0D3E7106E9FF59B42268C8D159F7C7A26CB87C0C20CFF3B8388D8EC5F9F5A49C24A6BEC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp

Download File

Process:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.530564693555266
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	5F1FEB7EA510D8FB9A35D5802519EBDB
SHA1:	76DFFF4701B450FDB9F1636C813CED8A2597C393
SHA-256:	478B5ED05CCC5C8760F4F9F8E9A805C0533166EC4C6068DD072EFCB3B83AD914
SHA-512:	86113DA5A1F402E3ECEA30BD21B6DBECFE2FC128206D622683EC5FA0B0D3E7106E9FF59B42268C8D159F7C7A26CB87C0C20CFF3B8388D8EC5F9F5A49C24A6BEC
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-9LEP6.tmp\update.vac

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-41CGB.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606016
Entropy (8bit):	7.0063494494702985
Encrypted:	false
SSDEEP:	49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
MD5:	95ACD5631A9131DB1FD066565AFC9A67
SHA1:	8E9473BD632FF0F57FC34EECAC17174341D80D94
SHA-256:	EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
SHA-512:	70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-H6C6K.tmp\update.vac

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606016
Entropy (8bit):	7.0063494494702985
Encrypted:	false
SSDEEP:	49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
MD5:	95ACD5631A9131DB1FD066565AFC9A67
SHA1:	8E9473BD632FF0F57FC34EECAC17174341D80D94
SHA-256:	EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
SHA-512:	70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	406
Entropy (8bit):	5.117520345541057
Encrypted:	false
SSDEEP:	6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
MD5:	9200058492BCA8F9D88B4877F842C148
SHA1:	EED69748A26CFAF769EF589F395A162E87005B36
SHA-256:	BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
SHA-512:	312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
Malicious:	false
Preview:	..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.929735641736926
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	#U5b89#U88c5#U52a9#U624b2.0.4.exe
File size:	6'130'073 bytes
MD5:	824d18101868c00261fd732e2e713fa6
SHA1:	04df8109561e9a1aed04fa7ed7d4b3c931bde5c7
SHA256:	2e5c530decd37133e50f6b149f634973e54cf555abcb309e829a3e8dcd223724
SHA512:	e46b38c9686166825c2b9c181dd6367d71dd43efc1cd6787365b31efbd3d30485bb9af4309ef6282944012c4e13deaafb5615b05ee51696a5e5e4591b1f6997b
SSDEEP:	98304:XwREyCzROurNY2vz6L0BKz3tuUqNCP3vqUN/0HQL1mdruCXTTYE/t9+dMwZg6:lykdrNYu6QBKxONOvqUNn1UuusE/t9kn
TLSH:	A3561222F2C7E03EE05D0B3706B2A55494FB6A256923AE5796ECB4ECCF350601D3E257
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007FC3F4762235h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007FC3F47F3BBBh
call 00007FC3F47F370Eh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FC3F47EE3E8h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007FC3F475C2E3h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007FC3F47EF713h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FC3F47F3C43h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FC3F47FA92Ah
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007FC3F47F0008h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x11000	0x11000	83b103c4b8d25647aa6c77f46a91d41c	False	0.18768669577205882	data	3.722817808854048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xcc0e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xcc748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xcca30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xccb58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xce180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcf028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcf8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcfe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xd1120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd5348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd78f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd8998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd8e00	0x3f8	data			0.3198818897637795
RT_STRING	0xd91f8	0x2dc	data			0.36475409836065575
RT_STRING	0xd94d4	0x430	data			0.40578358208955223
RT_STRING	0xd9904	0x44c	data			0.38636363636363635
RT_STRING	0xd9d50	0x2d4	data			0.39226519337016574
RT_STRING	0xda024	0xb8	data			0.6467391304347826
RT_STRING	0xda0dc	0x9c	data			0.6410256410256411
RT_STRING	0xda178	0x374	data			0.4230769230769231
RT_STRING	0xda4ec	0x398	data			0.3358695652173913
RT_STRING	0xda884	0x368	data			0.3795871559633027
RT_STRING	0xdabec	0x2a4	data			0.4275147928994083
RT_RCDATA	0xdae90	0x10	data			1.5
RT_RCDATA	0xdaea0	0x310	data			0.6173469387755102
RT_RCDATA	0xdb1b0	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xdb1dc	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xdb298	0x584	data	English	United States	0.2776203966005666
RT_MANIFEST	0xdb81c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:02:05
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe"
Imagebase:	0xb0000
File size:	6'130'073 bytes
MD5 hash:	824D18101868C00261FD732E2E713FA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	07:02:07
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT
Imagebase:	0xb0000
File size:	6'130'073 bytes
MD5 hash:	824D18101868C00261FD732E2E713FA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Target ID:	6
Start time:	07:02:08
Start date:	24/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-8972P.tmp\#U5b89#U88c5#U52a9#U624b2.0.4.tmp" /SL5="$2044A,5175725,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.4.exe" /VERYSILENT
Imagebase:	0x250000
File size:	3'366'912 bytes
MD5 hash:	5F1FEB7EA510D8FB9A35D5802519EBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	07:02:10
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Imagebase:	0x7ff6486c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	07:02:11
Start date:	24/12/2024
Path:	C:\Program Files (x86)\Windows NT\7zr.exe
Wow64 process (32bit):	true
Commandline:	7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Imagebase:	0x850000
File size:	831'200 bytes
MD5 hash:	84DC4B92D860E8AEA55D12B1E87EA108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	14
Start time:	07:02:12
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff6486c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	07:02:13
Start date:	24/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	44
Start time:	07:02:14
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	58
Start time:	07:02:15
Start date:	24/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc start CleverSoar
Imagebase:	0x7ff6499c0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	66
Start time:	07:02:16
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff6486c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	82
Start time:	07:02:17
Start date:	24/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc start CleverSoar
Imagebase:	0x7ff6499c0000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	98
Start time:	07:02:18
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	105
Start time:	07:02:19
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff6486c0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.8%
Total number of Nodes:	779
Total number of Limit Nodes:	10

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U5b89#U88c5#U52a9#U624b2.0.4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows NT\7zr.exe

C:\Program Files (x86)\Windows NT\file.bin (copy)

C:\Program Files (x86)\Windows NT\hrsw.vbc

C:\Program Files (x86)\Windows NT\is-4KD5J.tmp

C:\Program Files (x86)\Windows NT\is-U16QK.tmp

C:\Program Files (x86)\Windows NT\locale.bin

C:\Program Files (x86)\Windows NT\locale.dat

C:\Program Files (x86)\Windows NT\locale2.bin

C:\Program Files (x86)\Windows NT\locale2.dat

C:\Program Files (x86)\Windows NT\locale3.bin

C:\Program Files (x86)\Windows NT\locale3.dat

C:\Program Files (x86)\Windows NT\locale4.bin

C:\Program Files (x86)\Windows NT\locale4.dat

C:\Program Files (x86)\Windows NT\locale7.bin

C:\Program Files (x86)\Windows NT\locale7.dat

C:\Program Files (x86)\Windows NT\res.dat

C:\Program Files (x86)\Windows NT\tProtect.dll

C:\Program Files (x86)\Windows NT\task.xml

C:\Program Files (x86)\Windows NT\trash

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.4.exe

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre