Windows Analysis Report
LHRUnlocker Install.msi

Overview

General Information

Sample Name: LHRUnlocker Install.msi
Analysis ID: 577501
MD5: ca17c1bbedc959ad89f1c1dbf6b7aa32
SHA1: d24658face1f6fd3b457d7250c9b1a630798678d
SHA256: 8fb46d2d56dd411ad10862204849abf9a4546f1ab1d40bcb6b0cac284debc055
Infos:

Detection

Score: 45
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Suspicious Script Execution From Temp Folder
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Powershell Defender Exclusion
Adds a directory exclusion to Windows Defender
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000014.00000002.567216756.0000000003417000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png0
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.569706056.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569503503.0000000005321000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://t2.symcb.com0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://tl.symcd.com0&
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr String found in binary or memory: http://www.winimage.com/zLibDll
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr String found in binary or memory: http://www.winimage.com/zLibDll1.2.7rbr
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr String found in binary or memory: https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester0
Source: powershell.exe, 00000008.00000003.527476361.00000000057BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 3c1a5a.msi.1.dr String found in binary or memory: https://t.me/LHRUnlockerChannelButtonText_Finish&FinishManufacturerSergeyProductCode
Source: 3c1a5a.msi.1.dr String found in binary or memory: https://t.me/LHRUnlockerMSIFASTINSTALLAI_CURRENT_YEAR2022ButtonText_Decline&DeclineAI_PREDEF_LCONDS_
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: https://www.advancedinstaller.com
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: https://www.thawte.com/cps0/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr String found in binary or memory: https://www.thawte.com/repository0W
Yara signature match
Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI1FD8.tmp Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\3c1a5a.msi Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00874080 8_2_00874080
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_008755B8 8_2_008755B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00873168 8_2_00873168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00870B90 8_2_00870B90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_008793B8 8_2_008793B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00874BC8 8_2_00874BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0087CB70 8_2_0087CB70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00871428 8_2_00871428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0087B6B0 8_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0087B6A0 8_2_0087B6A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_0087B6B0 8_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00887538 8_2_00887538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_035DB9B0 20_2_035DB9B0
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: LHRUnlocker Install.msi Binary or memory string: OriginalFilenameviewer.exeF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi Binary or memory string: OriginalFilenameShortcutFlags.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi Binary or memory string: OriginalFilenameFileOperations.dllF vs LHRUnlocker Install.msi
Tries to load missing DLLs
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220223 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmp Jump to behavior
Source: classification engine Classification label: mal45.evad.winMSI@11/20@0/0
Source: C:\Windows\System32\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: LHRUnlocker Install.msi Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: C:\Windows\System32\msiexec.exe Automated click: Next >
Source: C:\Windows\System32\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: LHRUnlocker Install.msi Static file information: File size 7207424 > 1048576
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00873168 push eax; mov dword ptr [esp], edx 8_2_00873464
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 8_2_00878B31 push eax; retf 8_2_00878B3D
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF513.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF34C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF280.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF69B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3268.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2874.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF832.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1FD8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIF447.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3268.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI2874.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI1FD8.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908 Thread sleep count: 2777 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908 Thread sleep count: 366 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5612 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF513.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF34C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF280.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI2874.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF447.tmp Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2777 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 366 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: powershell.exe, 00000008.00000002.571424300.000000000545F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.570148293.0000000005001000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: MSIF69B.tmp.0.dr Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.571424300.000000000545F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.570148293.0000000005001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Cl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Adds a directory exclusion to Windows Defender
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue." Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 577501 Sample: LHRUnlocker Install.msi Startdate: 23/02/2022 Architecture: WINDOWS Score: 45 46 Sigma detected: Powershell Defender Exclusion 2->46 48 Sigma detected: Change PowerShell Policies to a Unsecure Level 2->48 50 Sigma detected: Suspicious Script Execution From Temp Folder 2->50 8 msiexec.exe 3 8 2->8         started        11 msiexec.exe 12 2->11         started        process3 file4 26 C:\Windows\Installer\MSI3268.tmp, PE32 8->26 dropped 28 C:\Windows\Installer\MSI2874.tmp, PE32 8->28 dropped 30 C:\Windows\Installer\MSI1FD8.tmp, PE32 8->30 dropped 13 msiexec.exe 8 8->13         started        16 msiexec.exe 8->16         started        32 C:\Users\user\AppData\Local\...\MSIF832.tmp, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\MSIF69B.tmp, PE32 11->34 dropped 36 C:\Users\user\AppData\Local\...\MSIF513.tmp, PE32 11->36 dropped 38 4 other files (none is malicious) 11->38 dropped process5 file6 40 C:\Users\user\AppData\Local\...\scr3351.ps1, Little-endian 13->40 dropped 42 C:\Users\user\AppData\Local\...\pss341F.ps1, Little-endian 13->42 dropped 19 powershell.exe 19 13->19         started        44 Bypasses PowerShell execution policy 16->44 signatures7 process8 signatures9 52 Adds a directory exclusion to Windows Defender 19->52 22 powershell.exe 1 19->22         started        24 conhost.exe 19->24         started        process10
No contacted IP infos