Edit tour

Windows Analysis Report
LHRUnlocker Install.msi

Overview

General Information

Sample Name:	LHRUnlocker Install.msi
Analysis ID:	577501
MD5:	ca17c1bbedc959ad89f1c1dbf6b7aa32
SHA1:	d24658face1f6fd3b457d7250c9b1a630798678d
SHA256:	8fb46d2d56dd411ad10862204849abf9a4546f1ab1d40bcb6b0cac284debc055
Infos:

Detection

Score:	45
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Suspicious Script Execution From Temp Folder

Bypasses PowerShell execution policy

Sigma detected: Change PowerShell Policies to a Unsecure Level

Sigma detected: Powershell Defender Exclusion

Adds a directory exclusion to Windows Defender

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 4348 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 3744 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4884 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 6736 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

powershell.exe (PID: 7036 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue." MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 7036	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xbd9b:$sa2: -encodedCommand 0xbdc7:$sa2: -encodedCommand 0xc4ac:$sa2: -EncodedCommand 0xcfb6:$sa2: -EncodedCommand 0xd051:$sa2: -encodedCommand 0x11e5:$sc2: -NoProfile 0x48a3:$sc2: -NoProfile 0x684d:$sc2: -NoProfile 0x286cc:$sc2: -NoProfile 0x316ce:$sc2: -NoProfile 0x3181e:$sc2: -NoProfile 0x31c90:$sc2: -NoProfile 0x32004:$sc2: -NoProfile 0x32289:$sc2: -NoProfile 0x32607:$sc2: -NoProfile 0x3c815:$sc2: -NoProfile 0x7b6f6:$sc2: -NoProfile 0x7b846:$sc2: -NoProfile 0x7c19f:$sc2: -NoProfile 0x7c503:$sc2: -NoProfile 0x7cbcd:$sc2: -NoProfile

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036

Sigma detected: Change PowerShell Policies to a Unsecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, ProcessId: 6712

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132901445801825560.7036.DefaultAppDomain.powershell

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000014.00000002.567216756.0000000003417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png0
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.569706056.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569503503.0000000005321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	String found in binary or memory: http://www.winimage.com/zLibDll
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	String found in binary or memory: http://www.winimage.com/zLibDll1.2.7rbr
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	String found in binary or memory: https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester0
Source: powershell.exe, 00000008.00000003.527476361.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 3c1a5a.msi.1.dr	String found in binary or memory: https://t.me/LHRUnlockerChannelButtonText_Finish&FinishManufacturerSergeyProductCode
Source: 3c1a5a.msi.1.dr	String found in binary or memory: https://t.me/LHRUnlockerMSIFASTINSTALLAI_CURRENT_YEAR2022ButtonText_Decline&DeclineAI_PREDEF_LCONDS_
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR

Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1FD8.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3c1a5a.msi

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00874080	8_2_00874080
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_008755B8	8_2_008755B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00873168	8_2_00873168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00870B90	8_2_00870B90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_008793B8	8_2_008793B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00874BC8	8_2_00874BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0087CB70	8_2_0087CB70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00871428	8_2_00871428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0087B6B0	8_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0087B6A0	8_2_0087B6A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0087B6B0	8_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00887538	8_2_00887538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_035DB9B0	20_2_035DB9B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameviewer.exeF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameFileOperations.dllF vs LHRUnlocker Install.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220223

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmp

Jump to behavior

Source: classification engine

Classification label: mal45.evad.winMSI@11/20@0/0

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: LHRUnlocker Install.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: LHRUnlocker Install.msi

Static file information: File size 7207424 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00873168 push eax; mov dword ptr [esp], edx		8_2_00873464
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00878B31 push eax; retf		8_2_00878B3D

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF513.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF34C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF280.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF69B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3268.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2874.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF832.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1FD8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF447.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3268.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2874.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1FD8.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908	Thread sleep count: 2777 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5612	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF513.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF34C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF280.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2874.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF447.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2777			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 366			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: powershell.exe, 00000008.00000002.571424300.000000000545F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.570148293.0000000005001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: MSIF69B.tmp.0.dr	Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.571424300.000000000545F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.570148293.0000000005001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Cl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."			Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	21 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LHRUnlocker Install.msi	0%	Virustotal		Browse
LHRUnlocker Install.msi	0%	Metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSIEF62.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIEF62.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF280.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF280.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF34C.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF34C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF447.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF447.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF513.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF513.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF69B.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF69B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF832.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF832.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png0	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/LHRUnlockerMSIFASTINSTALLAI_CURRENT_YEAR2022ButtonText_Decline&DeclineAI_PREDEF_LCONDS_	3c1a5a.msi.1.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png0	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester0	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.thawte.com/cps0/	LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr	LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000008.00000003.527476361.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.thawte.com/repository0W	LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/LHRUnlockerChannelButtonText_Finish&FinishManufacturerSergeyProductCode	3c1a5a.msi.1.dr	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.advancedinstaller.com	LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	false		high
http://www.winimage.com/zLibDll	LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html0	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.569706056.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569503503.0000000005321000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll1.2.7rbr	LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	577501
Start date:	23.02.2022
Start time:	18:48:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LHRUnlocker Install.msi
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal45.evad.winMSI@11/20@0/0
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 91 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.54.104.15
Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 7036 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
18:50:55	API Interceptor	7x Sleep call for process: powershell.exe modified

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.8968676994158
Encrypted:	false
SSDEEP:	96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
MD5:	36DE9155D6C265A1DE62A448F3B5B66E
SHA1:	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
SHA-256:	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
SHA-512:	C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\MSIEF62.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF280.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF34C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF447.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF513.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF69B.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	895968
Entropy (8bit):	6.449966561388975
Encrypted:	false
SSDEEP:	24576:fs3GWVtxNzxu3BBvF/BRROunzpGsOZ9d9lO1a:Kf7xuxBvF/BRROAUsOZ9d9lO1a
MD5:	22D986F98F87F5521ED2F3EDAA9374CA
SHA1:	9A1A233277E5A3A0A2565BFCAE593AF13B907EBF
SHA-256:	8E896FF52ED8FF11CC74907ECB2A5B9B9267289E54C956F9C9E07E8BA3A6D175
SHA-512:	69702074D8C9A5B33D948519A889F7671D374DDC2F2C3FAC8A4F0126E3C4A218077A015899AE54C7FA56E5198C57F4EFC55AD56227E9FFC02F3F412CFAFFAA5B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.Z...4P..4P..4P..7Q..4P..1Q..4PN.0Q..4PN.7Q..4PN.1QN.4P..0Q..4P..5Q..4P..5P1.4P..=Q,.4P..4Q..4P...P..4P...P..4P..6Q..4PRich..4P........................PE..L......a.........."!................%........0............................................@.............................t.......................................<...x...p..............................@............0...............................text............................... ..`.rdata..V....0......................@..@.data..............................@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MSIF832.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xdfaoyo.lnf.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2ddoyuu.1tk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf5no10l.5dz.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhr5i13g.js1.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\pss341F.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	5784
Entropy (8bit):	3.4920621874565785
Encrypted:	false
SSDEEP:	96:5wb5jTmmywV2BVrIovmkiGjxcj6BngOcvjb:5wbdTif/njVyvb
MD5:	FC1BB6C87FD1F08B534E52546561C53C
SHA1:	DB402C5C1025CF8D3E79DF7B868FD186243AA9D1
SHA-256:	A04750ED5F05B82B90F6B8EA3748BA246AF969757A5A4B74A0E25B186ADD520B
SHA-512:	5495F4AC3C8F42394A82540449526BB8DDD91ADF0A1A852A9E1F2D32A63858B966648B4099D9947D8AC68EE43824DACDA24C337C5B97733905E36C4921280E86
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . . .[.s.t.r.i.n.g.]. .$.t.e.s.t.P.r.e.f.i.x..... .,.[.s.w.i.t.c.h.]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\AppData\Local\Temp\scr3351.ps1

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Little-endian UTF-16 Unicode text, with CR line terminators
Category:	dropped
Size (bytes):	120
Entropy (8bit):	3.430931929528047
Encrypted:	false
SSDEEP:	3:QVQlFc2TfSl5WLlgBI2Pv02qGKl+L9QlN6s9:QyXcnl5WmIW02qG/pwcs9
MD5:	2315AD4D342DA36907D6F4869069497B
SHA1:	5E3E895E13CEFA06D808F1C68F78C0CC36257399
SHA-256:	3CD5D3E66D38E6E65263815493D9E60E7F2B7409871849C9D59CFD114E4393FA
SHA-512:	6930FBB9E6E3905206B5294B1E54B200DCD66CBD29AD9136F166979B99381B53E0F61FE383BCE4552647B56AD601AD953F8577521AAFC4AA4B35408524A6DD55
Malicious:	true
Preview:	..p.o.w.e.r.s.h.e.l.l. .-.C.o.m.m.a.n.d. .A.d.d.-.M.p.P.r.e.f.e.r.e.n.c.e. .-.E.x.c.l.u.s.i.o.n.P.a.t.h. .".C.:.\.".....

C:\Users\user\Documents\20220223\PowerShell_transcript.878411.jRMym6xB.20220223184945.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	865
Entropy (8bit):	5.4070958573132915
Encrypted:	false
SSDEEP:	24:BxSAQ1xvBnLx2DOXviNTTBP+7jJiX3Uu6WuHjeTKKjX4CIym1ZJXa:BZQHvhLoO/iBTFwjJuUwuqDYB1ZA
MD5:	28C57BA3B7B030A70108B8AF781422EB
SHA1:	68D31051121C9DB8F3442D8327BDF4D544B3A0B3
SHA-256:	BFE176E6456C0E5DF3681A93DEFF659AAC3890666B296ADB648F34BEFEE03F35
SHA-512:	5908FF1C3AFEB542ED1DD8556E29FC281562BC6C3C87923D48274D148B210586ECBE33CFE031B015DF71249E82FBED58FC571668D8C177F73A279A891961E07A
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220223185032..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\pss341F.ps1 -propFile C:\Users\user\AppData\Local\Temp\msi3350.txt -scriptFile C:\Users\user\AppData\Local\Temp\scr3351.ps1 -scriptArgsFile C:\Users\user\AppData\Local\Temp\scr3352.txt -propSep :<->: -testPrefix _testValue...Process ID: 7036..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..********************..

C:\Windows\Installer\3c1a5a.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F58EB665-B875-433C-AEBE-8C055BEC1E2C}, Number of Words: 2, Subject: NVIDIA RTX LHR v2 unlocker, Author: Sergey, Name of Creating Application: NVIDIA RTX LHR v2 unlocker, Template: x64;2057, Comments: This installer database contains the logic and data required to install NVIDIA RTX LHR v2 unlocker., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Category:	dropped
Size (bytes):	7207424
Entropy (8bit):	7.562593437382455
Encrypted:	false
SSDEEP:	196608:7+XqI6tGPI9Wo7x4dC29R/LcgZxVHh5J:7+aI6tGPI0k4YaB
MD5:	CA17C1BBEDC959AD89F1C1DBF6B7AA32
SHA1:	D24658FACE1F6FD3B457D7250C9B1A630798678D
SHA-256:	8FB46D2D56DD411AD10862204849ABF9A4546F1AB1D40BCB6B0CAC284DEBC055
SHA-512:	238F6E7B51A8D10B3828C3C9CEC4E24725B8A5D4503CD5B9EFF941906875057728DFD8D90DA456EDBB71A8FA8F68E60042961EE2AF56C0BC68F31F64FD066F6B
Malicious:	false
Preview:	......................>...................n.......................W...........I.......e.......6...7...8...9...:...;...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...,...-......./...c...d...e...f...g...h...i................................................... ...!..."................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...............................#...0........................................................................................... ...!..."...-.../...%...&...'...(...)......+...,...........1...5...A...2...3...4...7...6...>...8...9...:...;...<...=...H...?...@.......B...C...D...E...F...G...>...@.......K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Windows\Installer\MSI1FD8.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI2874.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI3268.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	589280
Entropy (8bit):	6.56720964313755
Encrypted:	false
SSDEEP:	12288:LCtfiZk5vSCOJf0egTmTBBAkvAfFBtVLK+AfgTD0vEhWQsQT6cFsDw9gA:490P36htVLK+AfgTovcj2cF6w9gA
MD5:	3B340A09B1218A0E699D497E1651B366
SHA1:	B60163743239704D217C983F040DAF256EE31BCB
SHA-256:	462B7E38D364571DF6751FFC2624CC993F19025909CCE39801217267E544AAF2
SHA-512:	14E7A5E93F06DC74D6ADEA793F6E79DD44BB9C5E65288FC44E619A95E3DC45D93B3D58CD812846CE499AB93F87CF60F794CD4972F34732DF3B6A5721B6BFD725
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........;...Z.J.Z.J.Z.J~(.K.Z.J~(.K.Z.J~(.K.Z.J./.K.Z.J./.K.Z.J..!J.Z.J./.K.Z.J~(.K.Z.J.Z.J.[.J./.K.Z.J./.K.Z.J./#J.Z.J.ZKJ.Z.J./.K.Z.JRich.Z.J........................PE..L......a.........."!.........Z......;........................................ ............@..........................o......,p...................................T......p...................@.......x...@...............L............................text............................... ..`.rdata..............................@..@.data................l..............@....rsrc...............................@..@.reloc...T.......V..................@..B........................................................................................................................................................................................................................................................................

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	122558
Entropy (8bit):	5.3635233263223
Encrypted:	false
SSDEEP:	1536:iHzMV+f84vcIH17Yyxkjr0+NVRVle+yjeLWJOQzi7gZFOIKICh/81r8yQ1oXB4Hh:iHHJCoX5Ch
MD5:	CA1354FADB546AD9B3BFCF11E530A8E0
SHA1:	FBEC253189D62BFB3C42EB50C195D380F7C53E43
SHA-256:	284817E661E96F813EBFC20CFC991C7C3D72129E395D8BAFD24AFB898FF93EF8
SHA-512:	4B882C5B1A92EC59FF4BE87CE141578B0B06EA0099BF8D9606AFA2361204E22B33B642B5A59944ED42B17CD07115A44DB3E07608BDDC8F8F0C233CBA6ED9EED1
Malicious:	false
Preview:	.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F58EB665-B875-433C-AEBE-8C055BEC1E2C}, Number of Words: 2, Subject: NVIDIA RTX LHR v2 unlocker, Author: Sergey, Name of Creating Application: NVIDIA RTX LHR v2 unlocker, Template: x64;2057, Comments: This installer database contains the logic and data required to install NVIDIA RTX LHR v2 unlocker., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.562593437382455
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	LHRUnlocker Install.msi
File size:	7207424
MD5:	ca17c1bbedc959ad89f1c1dbf6b7aa32
SHA1:	d24658face1f6fd3b457d7250c9b1a630798678d
SHA256:	8fb46d2d56dd411ad10862204849abf9a4546f1ab1d40bcb6b0cac284debc055
SHA512:	238f6e7b51a8d10b3828c3c9cec4e24725b8a5d4503cd5b9eff941906875057728dfd8d90da456edbb71a8fa8f68e60042961ee2af56c0bc68f31f64fd066f6b
SSDEEP:	196608:7+XqI6tGPI9Wo7x4dC29R/LcgZxVHh5J:7+aI6tGPI0k4YaB
File Content Preview:	........................>...................n.......................W...........I.......e.......6...7...8...9...:...;...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...,...-......./...c...d...e...f...g...h...i......................................

File Icon


Icon Hash:	a2a0b496b2caca72

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "LHRUnlocker Install.msi"

Indicators

Has Summary Info:	True
Application Name:	NVIDIA RTX LHR v2 unlocker
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Code Page:	1252
Title:	Installation Database
Subject:	NVIDIA RTX LHR v2 unlocker
Author:	Sergey
Keywords:	Installer, MSI, Database
Comments:	This installer database contains the logic and data required to install NVIDIA RTX LHR v2 unlocker.
Template:	x64;2057
Last Saved By:
Revion Number:	{F58EB665-B875-433C-AEBE-8C055BEC1E2C}
Last Printed:	2009-12-11 11:47:44.850000
Create Time:	2009-12-11 11:47:44.850000
Last Saved Time:	2020-09-18 14:06:51.913000
Number of Pages:	200
Number of Words:	2
Creating Application:	NVIDIA RTX LHR v2 unlocker
Security:	0

Streams

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 596

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	596
Entropy:	4.74586135252
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . X . . . . . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . # . . W z . . @ . . . # . . W z . . @ . . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . { F 5 8 E B 6 6 5 - B 8
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 24 02 00 00 10 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 01 00 00 00 b4 00 00 00 09 00 00 00 bc 00 00 00 0f 00 00 00 ec 00 00 00 03 00 00 00 f4 00 00 00 04 00 00 00 18 01 00 00

Stream Path: \x16786\x17522\x15550\x15884\x18327\x18152\x18472, File Type: MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel, Stream Size: 22257

General
Stream Path:	\x16786\x17522\x15550\x15884\x18327\x18152\x18472
File Type:	MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Stream Size:	22257
Entropy:	4.03626304959
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . h . . . F . . . . . . . . ( . . . . . . . 0 0 . . . . . h & . . . . . . . . . . . . . . . . . > < . . ( . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 04 00 10 10 00 00 01 00 20 00 68 04 00 00 46 00 00 00 20 20 00 00 01 00 20 00 28 11 00 00 ae 04 00 00 30 30 00 00 01 00 20 00 68 26 00 00 d6 15 00 00 00 00 00 00 01 00 20 00 b3 1a 00 00 3e 3c 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x15358\x17388\x15912\x16947\x16693\x17207\x17522\x18358\x17383\x18479, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 407008

General
Stream Path:	\x17163\x16689\x18229\x15358\x17388\x15912\x16947\x16693\x17207\x17522\x18358\x17383\x18479
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	407008
Entropy:	6.5620566215
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . . G . O . . . O . . . O . . . = . . . O . . . = . . l O . . . = . . . O . . . : . . . O . . . : . . . O . . . : . . . O . . b : . . . O . . b : . . . O . . . = . . . O . . . O . . . N . . b : . . . O . . b : . . . O . . b : S . . O . . . O ; . . O . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x15870\x18088, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.03444158006
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x15998\x18098\x17768\x17116\x17384\x16175\x17766\x17644\x15735\x17956\x16817\x16939\x18357\x17383\x18479, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 589280

General
Stream Path:	\x17163\x16689\x18229\x15998\x18098\x17768\x17116\x17384\x16175\x17766\x17644\x15735\x17956\x16817\x16939\x18357\x17383\x18479
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	589280
Entropy:	6.56720964314
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . ; . . . Z . J . Z . J . Z . J ~ ( . K . Z . J ~ ( . K . Z . J ~ ( . K . Z . J . / . K . Z . J . / . K . Z . J . . ! J . Z . J . / . K . Z . J ~ ( . K . Z . J . Z . J . [ . J . / . K . Z . J . / . K . Z . J . / # J . Z . J . Z K J . Z . J . / . K . Z . J
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16190\x17010\x18103\x17764\x15208\x17896\x16808\x17591\x18357\x17383\x18479, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 895968

General
Stream Path:	\x17163\x16689\x18229\x16190\x17010\x18103\x17764\x15208\x17896\x16808\x17591\x18357\x17383\x18479
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	895968
Entropy:	6.44996656139
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . X . Z . . . 4 P . . 4 P . . 4 P . . 7 Q . . 4 P . . 1 Q . . 4 P N . 0 Q . . 4 P N . 7 Q . . 4 P N . 1 Q N . 4 P . . 0 Q . . 4 P . . 5 Q . . 4 P . . 5 P 1 . 4 P . . = Q , . 4 P . . 4 Q . . 4 P . . . P . . 4 P . . . P . . 4 P . . 6 Q . . 4 P R i c h . . 4 P
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16190\x17579\x17909\x17958\x15351\x16687\x17834\x16894\x17391, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 288224

General
Stream Path:	\x17163\x16689\x18229\x16190\x17579\x17909\x17958\x15351\x16687\x17834\x16894\x17391
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	288224
Entropy:	6.58114708933
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . u S D A . . D A . . D A . . . 3 . . I A . . . 3 . . . A . . . 4 . . U A . . . 4 . . R A . . . 4 . . . A . . . 3 . . ] A . . . 3 . . E A . . . 3 . . U A . . D A . . . A . . . 4 . . _ A . . . 4 . . E A . . . 4 . . E A . . D A . . E A . . . 4 . . E A . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16318\x18483, File Type: MS Windows icon resource - 1 icon, 16x16, 16 colors, Stream Size: 318

General
Stream Path:	\x17163\x16689\x18229\x16318\x18483
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.03693614652
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

Stream Path: \x17163\x16689\x18229\x16702\x16812\x17848\x16695\x17894\x16894\x17391, File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, Stream Size: 408544

General
Stream Path:	\x17163\x16689\x18229\x16702\x16812\x17848\x16695\x17894\x16894\x17391
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	408544
Entropy:	6.41059821146
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . . 0 . . . c . . . c . . . c " . . b . . . c " . . b V . . c . . . b . . . c . . . b . . . c . . . b . . . c " . . b . . . c " . . b . . . c " . . b . . . c . . . c . . . c H . . b . . . c H . . b . . . c H . S c . . . c . . ; c . . . c H . . b . . . c
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14440\x14341\x17278\x17075, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 938x111, frames 3, Stream Size: 9319

General
Stream Path:	\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14440\x14341\x17278\x17075
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 938x111, frames 3
Stream Size:	9319
Entropy:	7.35217207818
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

Stream Path: \x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14440\x14658\x17278\x17075, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 625x74, frames 3, Stream Size: 5714

General
Stream Path:	\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14440\x14658\x17278\x17075
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 625x74, frames 3
Stream Size:	5714
Entropy:	7.42751568247
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

Stream Path: \x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14504\x14336\x17278\x17075, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1875x222, frames 3, Stream Size: 22946

General
Stream Path:	\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14504\x14336\x17278\x17075
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1875x222, frames 3
Stream Size:	22946
Entropy:	6.9205041088
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

Stream Path: \x17163\x16689\x18229\x16766\x17508\x16945\x18357\x17645\x18474, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x59, frames 3, Stream Size: 4502

General
Stream Path:	\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x17645\x18474
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x59, frames 3
Stream Size:	4502
Entropy:	7.59347638402
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

Stream Path: \x17163\x16689\x18229\x16766\x17508\x16945\x18357\x18038\x18474, File Type: SVG Scalable Vector Graphics image, Stream Size: 28870

General
Stream Path:	\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x18038\x18474
File Type:	SVG Scalable Vector Graphics image
Stream Size:	28870
Entropy:	4.29697375738
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " u t f - 8 " ? > . . < ! - - G e n e r a t o r : A d o b e I l l u s t r a t o r 2 5 . 2 . 3 , S V G E x p o r t P l u g - I n . S V G V e r s i o n : 6 . 0 0 B u i l d 0 ) - - > . . < s v g v e r s i o n = " 1 . 1 " i d = " L a y e r _ 8 " x m l n s = " h t t p : / / w w w . w 3 . o r g / 2 0 0 0 / s v g " x m l n s : x l i n k = " h t t p : / / w w w . w 3 . o r g / 1 9 9 9 / x l i n k " x = " 0 p x " y =
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 21 2d 2d 20 47 65 6e 65 72 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 20 32 35 2e 32 2e 33 2c 20 53 56 47 20 45 78 70 6f 72 74 20 50 6c 75 67 2d 49 6e 20 2e 20 53 56 47 20 56 65 72 73 69 6f 6e 3a 20 36 2e 30 30 20 42 75 69 6c 64 20 30

Stream Path: \x17163\x16689\x18229\x16830\x16880\x17199\x17329\x17764\x17589\x18490, File Type: MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel, Stream Size: 2862

General
Stream Path:	\x17163\x16689\x18229\x16830\x16880\x17199\x17329\x17764\x17589\x18490
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Stream Size:	2862
Entropy:	3.16043065194
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . 6 . . . . . . . . . . . h . . . ^ . . . . . . . . . . h . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w v . . . . . " " " " " o . . " " " " " o . . w w w " " . . . . . . " / . . . .
Data Raw:	00 00 01 00 03 00 10 10 10 00 00 00 04 00 28 01 00 00 36 00 00 00 10 10 00 00 00 00 08 00 68 05 00 00 5e 01 00 00 10 10 00 00 00 00 20 00 68 04 00 00 c6 06 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0

Stream Path: \x17163\x16689\x18229\x16830\x17458\x17395\x17896\x18476, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x16830\x17458\x17395\x17896\x18476
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.35906224297
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . . . . . { . w . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x16830\x17848\x17207\x17574\x18481, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x16830\x17848\x17207\x17574\x18481
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.29856879699
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . . . . . { . w . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14440\x14341\x17278\x17075, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 938x593, frames 3, Stream Size: 27770

General
Stream Path:	\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14440\x14341\x17278\x17075
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 938x593, frames 3
Stream Size:	27770
Entropy:	7.06368048149
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

Stream Path: \x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14440\x14658\x17278\x17075, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 625x395, frames 3, Stream Size: 16673

General
Stream Path:	\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14440\x14658\x17278\x17075
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 625x395, frames 3
Stream Size:	16673
Entropy:	7.30816983161
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

Stream Path: \x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14504\x14336\x17278\x17075, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1875x1185, frames 3, Stream Size: 69692

General
Stream Path:	\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14504\x14336\x17278\x17075
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1875x1185, frames 3
Stream Size:	69692
Entropy:	6.08285538491
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

Stream Path: \x17163\x16689\x18229\x16894\x16684\x17583\x18346\x17645\x18474, File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x316, frames 3, Stream Size: 12626

General
Stream Path:	\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x17645\x18474
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x316, frames 3
Stream Size:	12626
Entropy:	7.45034483136
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

Stream Path: \x17163\x16689\x18229\x16894\x16684\x17583\x18346\x18038\x18474, File Type: SVG Scalable Vector Graphics image, Stream Size: 33179

General
Stream Path:	\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x18038\x18474
File Type:	SVG Scalable Vector Graphics image
Stream Size:	33179
Entropy:	4.25625006704
Base64 Encoded:	True
Data ASCII:	< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " u t f - 8 " ? > . . < ! - - G e n e r a t o r : A d o b e I l l u s t r a t o r 2 5 . 2 . 3 , S V G E x p o r t P l u g - I n . S V G V e r s i o n : 6 . 0 0 B u i l d 0 ) - - > . . < s v g v e r s i o n = " 1 . 1 " i d = " M o n o _ 1 _ " x m l n s = " h t t p : / / w w w . w 3 . o r g / 2 0 0 0 / s v g " x m l n s : x l i n k = " h t t p : / / w w w . w 3 . o r g / 1 9 9 9 / x l i n k " x = " 0 p x " y =
Data Raw:	3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 21 2d 2d 20 47 65 6e 65 72 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 20 32 35 2e 32 2e 33 2c 20 53 56 47 20 45 78 70 6f 72 74 20 50 6c 75 67 2d 49 6e 20 2e 20 53 56 47 20 56 65 72 73 69 6f 6e 3a 20 36 2e 30 30 20 42 75 69 6c 64 20 30

Stream Path: \x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470, File Type: MS Windows icon resource - 1 icon, 32x32, 16 colors, Stream Size: 766

General
Stream Path:	\x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	3.3484862649
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 1 . . . . . . . . . . . . 3 3 2 3 3 3 3 3 3 3 3 3 3 3 3 . 3 3 $ D D D D D D D D D D D @ 1 . 2 D D D D D D D D D D D D D . . 2 D D D D D D @ D D D D D D C . 2 D D D D D D 3 4 D D D D D C . 2 D D D D D @ 3 0 D D D D D . . 3 $ D D D D D 3 4 D D D D D 1 . 3 $
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c0 c0 00 80 80 80 00 00 80 80 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 33

Stream Path: \x17163\x16689\x18229\x17214\x17009\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors, Stream Size: 1078

General
Stream Path:	\x17163\x16689\x18229\x17214\x17009\x18482
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
Stream Size:	1078
Entropy:	2.86422695486
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . ( . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . w p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . w w . . . w w . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 10 10 10 00 00 00 00 00 28 01 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.40653521205
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . w . . . . . . . . . . p . . x . . . . w . . . . . . . . x . . . w . . w . . . . . . . p . . x x . . w ~ . . . . . . . . x . . . . . ~ . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.92283562852
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . w w . . . . . . . . . . . . w . f . w . . . . . . w . . . . . v v f . w . . . . . . . . . . . n f f l . w . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470, File Type: MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32, Stream Size: 2998

General
Stream Path:	\x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.6676615263
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . ( . . . { . w . . . . . . . . . ( x x x . . . . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

Stream Path: \x17163\x16689\x18229\x17918\x16740\x16677\x17318, File Type: PC bitmap, Windows 3.x format, 1 x 200 x 24, Stream Size: 854

General
Stream Path:	\x17163\x16689\x18229\x17918\x16740\x16677\x17318
File Type:	PC bitmap, Windows 3.x format, 1 x 200 x 24
Stream Size:	854
Entropy:	3.80253159876
Base64 Encoded:	False
Data ASCII:	B M V . . . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	42 4d 56 03 00 00 00 00 00 00 36 00 00 00 28 00 00 00 01 00 00 00 c8 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ef f3 f4 00 ef f3 f4 00 ef f3 f4 00 ef f4 f4 00 ef f4 f4 00 ef f4 f5 00 ef f4 f5 00 ef f4 f5 00 ef f4

Stream Path: \x17163\x16689\x18229\x18046\x16940\x16954\x18357\x18152\x18472, File Type: PE32 executable (GUI) Intel 80386, for MS Windows, Stream Size: 399328

General
Stream Path:	\x17163\x16689\x18229\x18046\x16940\x16954\x18357\x18152\x18472
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Stream Size:	399328
Entropy:	6.5891658431
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . M . . , N . . , N . . , N . B ^ M . . , N . B ^ K . = , N . . Y J . . , N . . Y M . . , N . . Y K . . , N . B ^ J . . , N . B ^ H . . , N . B ^ O . . , N . . , O . . , N . ( Y G . . , N . ( Y . . . , N . . , . . . , N . ( Y L . . , N . R i c h . , N .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

Stream Path: \x17191\x17334\x18305\x16678\x18469, File Type: Microsoft Cabinet archive data, 3753879 bytes, 4 files, Stream Size: 3753879

General
Stream Path:	\x17191\x17334\x18305\x16678\x18469
File Type:	Microsoft Cabinet archive data, 3753879 bytes, 4 files
Stream Size:	3753879
Entropy:	7.997971703
Base64 Encoded:	True
Data ASCII:	M S C F . . . . . G 9 . . . . . , . . . . . . . . . . . . . . . . . . . . . . . H . . . . & > . . . . . . . . R . C . c o r e l i b . d l l . . . . . . & > . . . . R . C . M o n o H e l p e r . d l l . . . ) . . . J . . . . R . C . S y s t e m . d l l . . . / . . . t . . . . R . C . S y s t e m . X m l . d l l . . . . . N 9 . . C K . : . t . . u . o f . . . . J Z . 4 . . - . . . y < . Z . V . . . - . . m . . . . . . q . . . . . ^ . k . . e . 1 . 4 . . . . 6 M . . . . . . i h O . ` . . . ` . . . q
Data Raw:	4d 53 43 46 00 00 00 00 97 47 39 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 04 00 00 00 d2 04 00 00 a1 00 00 00 48 01 01 00 00 26 3e 00 00 00 00 00 00 00 b2 52 c3 43 20 00 63 6f 72 65 6c 69 62 2e 64 6c 6c 00 00 e8 0b 00 00 26 3e 00 00 00 b2 52 a4 43 20 00 4d 6f 6e 6f 48 65 6c 70 65 72 2e 64 6c 6c 00 00 fa 29 00 00 0e 4a 00 00 00 b2 52 a4 43 20 00 53 79 73 74 65 6d 2e 64 6c

Stream Path: \x18496\x15167\x17394\x17464\x17841, File Type: data, Stream Size: 1424

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	1424
Entropy:	4.90033147389
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . + . + . + . + . + . + . + . + . + . 5 . 5 . 5 . 9 . 9 . 9 . > . > . > . > . > . A . A . A . A . A . A . O . O . O . O . O . O . O . Q . Q . Q . V . V . V . V . V . V . V . V . V . X . X . Z . Z . \\ . \\ . \\ . ] . ] . ] . ^ . ^ . ^ . ^ . a . a . a . b . b . b . b . b . b . d . d . d . f . f . f . f . f . f . f . f . f . f . f . f . i . i . i . i . i . i . i . i . k . k . k . k . k . k . p . p . p . p . r . r . r . r . t . t . t . t . t . t .
Data Raw:	04 00 04 00 04 00 04 00 04 00 04 00 07 00 07 00 07 00 11 00 11 00 11 00 1b 00 1b 00 20 00 20 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 35 00 35 00 35 00 39 00 39 00 39 00 3e 00 3e 00 3e 00 3e 00 3e 00 41 00 41 00 41 00 41 00 41 00 41 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 51 00 51 00 51 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 58 00 58 00

Stream Path: \x18496\x15498\x15359\x17388\x15208\x18098\x17393\x16690\x18471, File Type: data, Stream Size: 12

General
Stream Path:	\x18496\x15498\x15359\x17388\x15208\x18098\x17393\x16690\x18471
File Type:	data
Stream Size:	12
Entropy:	2.61749246118
Base64 Encoded:	False
Data ASCII:	M . N . O . P . Q . . .
Data Raw:	4d 01 4e 01 4f 01 50 01 51 01 11 80

Stream Path: \x18496\x15518\x16925\x17915, File Type: data, Stream Size: 444

General
Stream Path:	\x18496\x15518\x16925\x17915
File Type:	data
Stream Size:	444
Entropy:	5.30938688259
Base64 Encoded:	False
Data ASCII:	D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . $ . & . ( . * . , . . . 0 . 2 . 3 . 5 . 7 . 9 . ; . = . ? . A . C . D . F . H . I . K . M . O . Q . R . S . U . W . Y . [ . ] . _ . ` . a . c . e . g . i . k . m . o . q . s . u . w . y . { . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . .
Data Raw:	44 01 d2 06 d4 06 d5 06 d7 06 d9 06 db 06 dc 06 de 06 df 06 e0 06 e2 06 e3 06 e5 06 e7 06 e8 06 ea 06 ec 06 ee 06 f0 06 f2 06 f4 06 f5 06 f7 06 f9 06 fb 06 fd 06 ff 06 01 07 03 07 05 07 07 07 09 07 0a 07 0c 07 0e 07 10 07 12 07 14 07 16 07 18 07 1a 07 1c 07 1e 07 20 07 22 07 24 07 26 07 28 07 2a 07 2c 07 2e 07 30 07 32 07 33 07 35 07 37 07 39 07 3b 07 3d 07 3f 07 41 07 43 07 44 07

Stream Path: \x18496\x16191\x17783\x17516\x15210\x17892\x18468, File Type: data, Stream Size: 85644

General
Stream Path:	\x18496\x16191\x17783\x17516\x15210\x17892\x18468
File Type:	data
Stream Size:	85644
Entropy:	4.96011447798
Base64 Encoded:	True
Data ASCII:	A t t r i b u t e s P a t c h S i z e F i l e _ P a t c h T y p e A c t i o n C o n d i t i o n S e q u e n c e C o s t F i n a l i z e C o s t I n i t i a l i z e T a b l e N a m e I n s t a l l F i n a l i z e I n s t a l l I n i t i a l i z e I n s t a l l V a l i d a t e A d v t E x e c u t e S e q u e n c e C r e a t e S h o r t c u t s M s i P u b l i s h A s s e m b l i e s P u b l i s h C o m p o n e n t s P u b l i s h F e a t u r e s P u b l i s h P r o d u c t R e g i s t e r C l a s s I n f o R
Data Raw:	41 74 74 72 69 62 75 74 65 73 50 61 74 63 68 53 69 7a 65 46 69 6c 65 5f 50 61 74 63 68 54 79 70 65 41 63 74 69 6f 6e 43 6f 6e 64 69 74 69 6f 6e 53 65 71 75 65 6e 63 65 43 6f 73 74 46 69 6e 61 6c 69 7a 65 43 6f 73 74 49 6e 69 74 69 61 6c 69 7a 65 54 61 62 6c 65 4e 61 6d 65 49 6e 73 74 61 6c 6c 46 69 6e 61 6c 69 7a 65 49 6e 73 74 61 6c 6c 49 6e 69 74 69 61 6c 69 7a 65 49 6e 73 74 61

Stream Path: \x18496\x16191\x17783\x17516\x15978\x17586\x18479, File Type: data, Stream Size: 7804

General
Stream Path:	\x18496\x16191\x17783\x17516\x15978\x17586\x18479
File Type:	data
Stream Size:	7804
Entropy:	3.45148937466
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . . . . . m . . . ; . B . . . . . . . . . . . . . M . . . . . o . . . . . . . . . . .
Data Raw:	e4 04 00 00 0a 00 0e 00 09 00 02 00 05 00 02 00 05 00 0d 00 04 00 04 00 06 00 12 00 09 00 2b 00 08 00 10 00 0c 00 06 00 0e 00 06 00 00 00 00 00 05 00 02 00 04 00 06 00 0f 00 03 00 11 00 03 00 0f 00 04 00 13 00 07 00 0f 00 03 00 14 00 03 00 11 00 03 00 0f 00 03 00 0e 00 03 00 11 00 03 00 15 00 03 00 10 00 03 00 12 00 03 00 0c 00 05 00 07 00 02 00 06 00 02 00 06 00 02 00 0a 00 02 00

Stream Path: \x18496\x16255\x16740\x16943\x18486, File Type: data, Stream Size: 78

General
Stream Path:	\x18496\x16255\x16740\x16943\x18486
File Type:	data
Stream Size:	78
Entropy:	3.72765014155
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . + . 5 . 9 . > . A . O . Q . V . X . Z . \\ . ] . ^ . a . b . d . f . i . k . p . r . t . x . ~ . . . . . . . . . . . . . . . . . . . . .
Data Raw:	04 00 07 00 11 00 1b 00 20 00 2b 00 35 00 39 00 3e 00 41 00 4f 00 51 00 56 00 58 00 5a 00 5c 00 5d 00 5e 00 61 00 62 00 64 00 66 00 69 00 6b 00 70 00 72 00 74 00 78 00 7e 00 7f 00 83 00 ab 00 b9 00 bc 00 da 00 fb 00 00 01 04 01 18 01

Stream Path: \x18496\x16383\x17380\x16876\x17892\x17580\x18481, File Type: data, Stream Size: 4272

General
Stream Path:	\x18496\x16383\x17380\x16876\x17892\x17580\x18481
File Type:	data
Stream Size:	4272
Entropy:	2.57636734591
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . + . + . + . + . + . + . + . + . + . 5 . 5 . 5 . 9 . 9 . 9 . > . > . > . > . > . A . A . A . A . A . A . O . O . O . O . O . O . O . Q . Q . Q . V . V . V . V . V . V . V . V . V . X . X . Z . Z . \\ . \\ . \\ . ] . ] . ] . ^ . ^ . ^ . ^ . a . a . a . b . b . b . b . b . b . d . d . d . f . f . f . f . f . f . f . f . f . f . f . f . i . i . i . i . i . i . i . i . k . k . k . k . k . k . p . p . p . p . r . r . r . r . t . t . t . t . t . t .
Data Raw:	04 00 04 00 04 00 04 00 04 00 04 00 07 00 07 00 07 00 11 00 11 00 11 00 1b 00 1b 00 20 00 20 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 35 00 35 00 35 00 39 00 39 00 39 00 3e 00 3e 00 3e 00 3e 00 3e 00 41 00 41 00 41 00 41 00 41 00 41 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 51 00 51 00 51 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 58 00 58 00

Stream Path: \x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481, File Type: data, Stream Size: 20

General
Stream Path:	\x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
File Type:	data
Stream Size:	20
Entropy:	2.89546184424
Base64 Encoded:	False
Data ASCII:	^ . . . . . . . . . . . . . . . . . . .
Data Raw:	5e 01 af 06 c1 06 c3 06 c5 06 c7 06 c8 06 c2 06 c4 06 c6 06

Stream Path: \x18496\x16667\x17191\x15090\x17912\x17591\x18481, File Type: data, Stream Size: 36

General
Stream Path:	\x18496\x16667\x17191\x15090\x17912\x17591\x18481
File Type:	data
Stream Size:	36
Entropy:	3.62798680688
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . @ . @ . . . . . . . . . . . . .
Data Raw:	9f 01 9f 01 01 80 02 80 a0 01 cb 06 05 80 05 80 05 80 19 80 40 81 40 81 14 80 0f 80 ca 06 cc 06 00 00 00 00

Stream Path: \x18496\x16778\x17207\x17522\x16925\x17915, File Type: data, Stream Size: 450

General
Stream Path:	\x18496\x16778\x17207\x17522\x16925\x17915
File Type:	data
Stream Size:	450
Entropy:	4.73721029883
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . > . C . . . . . . . . . . . . . . . . . . . . . . . . . ! . $ . & . ) . , . 1 . 5 . 8 . : . ; . > . A . B . E . G . I . N . Q . U . W . Y . ] . b . e . h . j . q . t . w . y . \| . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . 7 . L . . . 3 . S . [ . _ . ` . / . m . o . . . M . . . . . . . . . . . . . . . . . . . . . . . . . " . % . ' . * . - . 2 . 6 . 9 . 6 . < . ? . 7 . C . F . H . J . O . R . V . X . Z . ^ . c . f . i . k . r .
Data Raw:	09 00 0a 00 10 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 3e 01 43 01 ff 01 01 02 04 02 08 02 0d 02 0f 02 12 02 15 02 18 02 1b 02 1d 02 1e 02 21 02 24 02 26 02 29 02 2c 02 31 02 35 02 38 02 3a 02 3b 02 3e 02 41 02 42 02 45 02 47 02 49 02 4e 02 51 02 55 02 57 02 59 02 5d 02 62 02 65 02 68 02 6a 02 71 02 74 02 77 02 79 02 7c 02 7e 02 81 02 83 02 85 02 87 02 8a 02 8c 02

Stream Path: \x18496\x16786\x17522, File Type: data, Stream Size: 4

General
Stream Path:	\x18496\x16786\x17522
File Type:	data
Stream Size:	4
Entropy:	1.5
Base64 Encoded:	False
Data ASCII:	i . . .
Data Raw:	69 01 01 00

Stream Path: \x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 48

General
Stream Path:	\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	48
Entropy:	3.38186998233
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . A . G . . . . . . . . . . . . . . . . . . . . . . . . x . < . . . . .
Data Raw:	09 00 0a 00 0e 00 0f 00 10 00 18 02 41 02 47 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 c8 99 dc 85 78 85 3c 8f 84 83 a0 8f

Stream Path: \x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 66

General
Stream Path:	\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	66
Entropy:	3.77043919502
Base64 Encoded:	False
Data ASCII:	. . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	09 00 0a 00 41 02 a4 02 a5 02 a6 02 a7 02 a8 02 a9 02 aa 02 ab 02 00 00 00 00 00 00 00 00 00 00 51 01 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 84 83 00 85 ce 84 01 80 14 85 ff 7f fd 7f 8c 80 fe 7f

Stream Path: \x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 84

General
Stream Path:	\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	84
Entropy:	3.43893323285
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . j . 8 . . . . . . . \\ . $ . . .
Data Raw:	09 00 0a 00 0e 00 0f 00 10 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 c8 99 dc 85 78 85 94 91 6a 98 38 98 9c 98 00 99 f8 91 5c 92 24 93 c0 92

Stream Path: \x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486, File Type: data, Stream Size: 28

General
Stream Path:	\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
File Type:	data
Stream Size:	28
Entropy:	2.20183873051
Base64 Encoded:	False
Data ASCII:	# . # . # . # . # . # . # . $ . % . & . ' . ( . ) . * .
Data Raw:	23 00 23 00 23 00 23 00 23 00 23 00 23 00 24 00 25 00 26 00 27 00 28 00 29 00 2a 00

Stream Path: \x18496\x16911\x17892\x17784\x18472, File Type: data, Stream Size: 16

General
Stream Path:	\x18496\x16911\x17892\x17784\x18472
File Type:	data
Stream Size:	16
Entropy:	2.22460175271
Base64 Encoded:	False
Data ASCII:	# . . . # . 4 . . . . . $ . . .
Data Raw:	23 00 00 00 23 00 34 00 01 80 01 80 24 00 00 80

Stream Path: \x18496\x16918\x17191\x18468, File Type: MIPSEB Ucode, Stream Size: 14

General
Stream Path:	\x18496\x16918\x17191\x18468
File Type:	MIPSEB Ucode
Stream Size:	14
Entropy:	1.95021206491
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . .
Data Raw:	01 80 04 00 00 80 00 00 c9 06 00 00 00 00

Stream Path: \x18496\x16923\x17194\x17910\x18229, File Type: SysEx File -, Stream Size: 24

General
Stream Path:	\x18496\x16923\x17194\x17910\x18229
File Type:	SysEx File -
Stream Size:	24
Entropy:	3.10538854221
Base64 Encoded:	False
Data ASCII:	. . 9 . . . . . : . : . . . 9 . < . ; . % . % .
Data Raw:	f0 00 39 01 ff 7f ff 7f 3a 01 3a 01 f0 00 39 01 3c 01 3b 01 25 00 25 00

Stream Path: \x18496\x16925\x17915\x17884\x17404\x18472, File Type: data, Stream Size: 48

General
Stream Path:	\x18496\x16925\x17915\x17884\x17404\x18472
File Type:	data
Stream Size:	48
Entropy:	3.09028891162
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	d8 01 cd 06 d0 06 d1 06 cf 06 ce 06 cf 06 cf 06 08 80 0d 80 08 80 08 80 00 00 00 80 00 00 00 80 00 00 00 80 ff ff ff 80 00 80 01 80 01 80 00 80

Stream Path: \x18496\x17100\x16808\x15086\x18162, File Type: data, Stream Size: 12

General
Stream Path:	\x18496\x17100\x16808\x15086\x18162
File Type:	data
Stream Size:	12
Entropy:	2.35538854221
Base64 Encoded:	False
Data ASCII:	. . . . . . Q . Q . Q .
Data Raw:	f1 01 bb 02 bc 02 51 01 51 01 51 01

Stream Path: \x18496\x17163\x16689\x18229, File Type: data, Stream Size: 108

General
Stream Path:	\x18496\x17163\x16689\x18229
File Type:	data
Stream Size:	108
Entropy:	3.11492446487
Base64 Encoded:	False
Data ASCII:	k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	6b 01 d4 01 d6 01 dc 01 de 01 e0 01 e2 01 e4 01 e6 01 e8 01 ec 01 f5 01 ac 02 ad 02 ae 02 af 02 b0 02 b1 02 b2 02 b3 02 b4 02 b5 02 b6 02 b7 02 b8 02 b9 02 ba 02 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00

Stream Path: \x18496\x17165\x16949\x17894\x17778\x18492, File Type: data, Stream Size: 30

General
Stream Path:	\x18496\x17165\x16949\x17894\x17778\x18492
File Type:	data
Stream Size:	30
Entropy:	3.44441382958
Base64 Encoded:	False
Data ASCII:	$ . O . . . . . . . . . . . $ . . . . . . . ' . . . . . . .
Data Raw:	24 00 4f 01 be 02 fd 02 14 04 fd 02 14 04 24 00 00 00 fd 02 16 04 27 00 17 04 13 04 15 04

Stream Path: \x18496\x17165\x17380\x17074, File Type: data, Stream Size: 616

General
Stream Path:	\x18496\x17165\x17380\x17074
File Type:	data
Stream Size:	616
Entropy:	4.26905156607
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . S . ] . a . e . h . q . s . w . z . { . . . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . . . r . r . r . r . r . r . r . r . r . ( . r . r . r . . . r . r . r . r . r . r . r . r . r . r . r . r . . . i . . . . . . . . . . . . . . . . . . . G . . . . . . . U . . .
Data Raw:	9a 01 a4 02 a5 02 a8 02 a9 02 aa 02 ab 02 c5 02 dc 02 f4 02 f8 02 fc 02 0c 03 11 03 13 03 1b 03 30 03 53 03 5d 03 61 03 65 03 68 03 71 03 73 03 77 03 7a 03 7b 03 80 03 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80

Stream Path: \x18496\x17167\x16943, File Type: data, Stream Size: 80

General
Stream Path:	\x18496\x17167\x16943
File Type:	data
Stream Size:	80
Entropy:	3.33010705294
Base64 Encoded:	False
Data ASCII:	& . ( . ) . * . & . ( . ) . * . & . . . ) . . . . & > . . . . . . . ) . . . / . . . . . . . . . U . . . U . U . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	26 00 28 00 29 00 2a 00 26 00 28 00 29 00 2a 00 26 00 a1 06 29 00 a2 06 00 26 3e 80 00 e8 0b 80 00 fa 29 80 00 e0 2f 80 a0 06 00 00 a0 06 a0 06 55 01 00 00 55 01 55 01 00 80 00 80 00 80 00 80 01 00 00 80 02 00 00 80 03 00 00 80 04 00 00 80

Stream Path: \x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 510

General
Stream Path:	\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	510
Entropy:	5.8183181554
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . = . > . A . C . . . . . . . . . . . . . . . . . ! . $ . 1 . ; . > . A . B . G . N . Q . U . W . ] . b . e . h . j . q . t . w . y . \| . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	09 00 0a 00 0e 00 0f 00 10 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 3d 01 3e 01 41 01 43 01 ff 01 01 02 04 02 0f 02 15 02 1b 02 1d 02 1e 02 21 02 24 02 31 02 3b 02 3e 02 41 02 42 02 47 02 4e 02 51 02 55 02 57 02 5d 02 62 02 65 02 68 02 6a 02 71 02 74 02 77 02 79 02 7c 02 7e 02 81 02 83 02 85 02 87 02 8a 02 8c 02 8e 02 90 02 92 02 94 02 96 02 98 02 9b 02 9d 02 9f 02

Stream Path: \x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472, File Type: data, Stream Size: 204

General
Stream Path:	\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
File Type:	data
Stream Size:	204
Entropy:	5.26148780813
Base64 Encoded:	False
Data ASCII:	. . . . = . > . A . C . A . B . N . . . . . . . . . . . . . . . h . q . { . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . d . . . . . . . . . L . . . . . . . . . K . . . . . . . . . . . 5 . 4 . c . . . . . . . f . 6 . 3 . . . . . . . . . . . . .
Data Raw:	09 00 0a 00 3d 01 3e 01 41 01 43 01 41 02 42 02 4e 02 a4 02 a7 02 a8 02 a9 02 aa 02 ab 02 f4 02 68 03 71 03 7b 03 d0 03 d2 03 d5 03 dd 03 e9 03 f1 03 f3 03 f6 03 f7 03 05 04 07 04 0c 04 0d 04 0e 04 0f 04 00 00 00 00 00 00 00 00 b8 06 ae 06 00 00 00 00 00 00 00 00 00 00 be 06 00 00 00 00 bf 06 97 03 9a 03 9b 03 95 03 00 00 00 00 00 00 c0 06 9b 03 a4 06 d6 03 00 00 00 00 a4 06 b9 06

Stream Path: \x18496\x17547\x17906\x17910\x16693\x17651\x17768\x15518\x16924\x17972\x17512\x16934, File Type: data, Stream Size: 66

General
Stream Path:	\x18496\x17547\x17906\x17910\x16693\x17651\x17768\x15518\x16924\x17972\x17512\x16934
File Type:	data
Stream Size:	66
Entropy:	4.16389459119
Base64 Encoded:	False
Data ASCII:	= . > . @ . A . C . D . F . G . I . J . K . . . ? . ? . B . ? . E . E . H . H . E . L . . . . . , . T . ^ . . . . . X . . . . . .
Data Raw:	3d 01 3e 01 40 01 41 01 43 01 44 01 46 01 47 01 49 01 4a 01 4b 01 00 00 3f 01 3f 01 42 01 3f 01 45 01 45 01 48 01 48 01 45 01 4c 01 97 80 fa 80 2c 81 54 81 5e 81 90 81 c2 81 58 82 8a 82 bc 82 20 83

Stream Path: \x18496\x17548\x17648\x17522\x17512\x18487, File Type: data, Stream Size: 84

General
Stream Path:	\x18496\x17548\x17648\x17522\x17512\x18487
File Type:	data
Stream Size:	84
Entropy:	3.15613264549
Base64 Encoded:	False
Data ASCII:	$ . % . & . ' . ( . ) . * . . . . . . . . . . . . . . . $ . $ . . . O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . ( . ) . * .
Data Raw:	24 00 25 00 26 00 27 00 28 00 29 00 2a 00 bf 02 c1 02 bd 02 c4 02 c2 02 c0 02 c3 02 24 00 24 00 be 02 4f 01 be 02 be 02 be 02 00 80 04 81 00 80 00 80 00 81 00 80 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 26 00 00 00 28 00 29 00 2a 00

Stream Path: \x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522, File Type: data, Stream Size: 72

General
Stream Path:	\x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522
File Type:	data
Stream Size:	72
Entropy:	3.28528343517
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . C . E . G . I . O . P . . . # . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	a8 02 a8 02 a8 02 a8 02 a9 02 a9 02 1b 03 1b 03 1b 03 43 03 45 03 47 03 49 03 4f 03 50 03 cd 02 23 03 25 03 8e 03 8e 03 8e 03 8e 03 92 03 92 03 8e 03 8e 03 8e 03 91 03 91 03 90 03 90 03 93 03 93 03 8f 03 8f 03 8f 03

Stream Path: \x18496\x17548\x17905\x17589\x15279\x16953\x17905, File Type: data, Stream Size: 1536

General
Stream Path:	\x18496\x17548\x17905\x17589\x15279\x16953\x17905
File Type:	data
Stream Size:	1536
Entropy:	4.88533384289
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . S . S . S . ] . ] . ] . a . e . e . e . h . h . h . h . q . q . q . q . q . q . s . s . s . s . s . s . s . w . w . w . w . w . w . w . w . z . z . z . z . z . z . z . z . z . z . z . z . { . { . . .
Data Raw:	9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 a4 02 a5 02 a5 02 a5 02 a8 02 a8 02 a8 02 a8 02 a9 02 a9 02 a9 02 aa 02 ab 02 ab 02 c5 02 c5 02 c5 02 c5 02 c5 02 c5 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 f4 02 f4 02 f4 02 f8 02 fc 02 fc 02 fc 02 fc 02 fc 02 fc 02 0c 03 0c 03 0c 03 0c 03 0c 03 11 03 11 03

Stream Path: \x18496\x17548\x17905\x17589\x18479, File Type: data, Stream Size: 7280

General
Stream Path:	\x18496\x17548\x17905\x17589\x18479
File Type:	data
Stream Size:	7280
Entropy:	4.54500622406
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a5 02 a5 02 a5 02 a5 02 a5 02 a5 02 a5 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 aa 02 aa 02 aa 02 aa 02 aa 02 aa 02 aa 02 aa 02 aa 02 ab 02 ab 02 ab 02 ab 02 ab 02 ab 02

Stream Path: \x18496\x17630\x17770\x16868\x18472, File Type: data, Stream Size: 32

General
Stream Path:	\x18496\x17630\x17770\x16868\x18472
File Type:	data
Stream Size:	32
Entropy:	2.76201589562
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	8a 01 8a 01 85 01 9d 07 00 00 85 01 00 00 00 00 02 00 00 80 01 01 00 80 00 00 00 00 c0 06 9e 07

Stream Path: \x18496\x17740\x16680\x16951\x17551\x16879\x17768, File Type: data, Stream Size: 8

General
Stream Path:	\x18496\x17740\x16680\x16951\x17551\x16879\x17768
File Type:	data
Stream Size:	8
Entropy:	2.15563906223
Base64 Encoded:	False
Data ASCII:	$ . O . $ . ' .
Data Raw:	24 00 4f 01 24 00 27 00

Stream Path: \x18496\x17742\x17589\x18485, File Type: data, Stream Size: 2572

General
Stream Path:	\x18496\x17742\x17589\x18485
File Type:	data
Stream Size:	2572
Entropy:	6.5134680762
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . M . . . . . . . . . . . . . . . . . . . . . . . . ! . " . # . $ . % . & . ' . ( . ) . * . + . , . - . . . / . 0 . 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . y . z . { . \| . } . ~ . . . . . . . . . . . . . . . . . A . B . C . D . E . F . G . H . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . n . o . p .
Data Raw:	00 80 01 80 02 80 03 80 04 80 05 80 06 80 07 80 08 80 09 80 0a 80 0b 80 0c 80 0d 80 0e 80 0f 80 10 80 11 80 12 80 13 80 14 80 15 80 16 80 17 80 20 80 21 80 e9 83 4d 84 15 85 16 85 17 85 18 85 19 85 1a 85 1b 85 1c 85 1d 85 1e 85 1f 85 20 85 21 85 22 85 23 85 24 85 25 85 26 85 27 85 28 85 29 85 2a 85 2b 85 2c 85 2d 85 2e 85 2f 85 30 85 31 85 32 85 33 85 34 85 35 85 36 85 37 85 38 85

Stream Path: \x18496\x17753\x17650\x17768\x18231, File Type: PDP-11 separate I&D executable not stripped - version 1, Stream Size: 388

General
Stream Path:	\x18496\x17753\x17650\x17768\x18231
File Type:	PDP-11 separate I&D executable not stripped - version 1
Stream Size:	388
Entropy:	4.67624508089
Base64 Encoded:	False
Data ASCII:	. . % . R . T . V . X . Y . [ . ] . _ . a . b . d . f . h . j . l . m . o . p . r . s . t . u . w . x . z . \| . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . U . W . Q . Z . \\ . ^ . ` . W . c . e . g . i . k . Q . n . W . q . Q . Q . Q . v . W . y . { . } . . . . . . .
Data Raw:	09 01 25 01 52 01 54 01 56 01 58 01 59 01 5b 01 5d 01 5f 01 61 01 62 01 64 01 66 01 68 01 6a 01 6c 01 6d 01 6f 01 70 01 72 01 73 01 74 01 75 01 77 01 78 01 7a 01 7c 01 7e 01 80 01 82 01 84 01 86 01 88 01 8b 01 8c 01 8f 01 90 01 91 01 93 01 94 01 96 01 97 01 99 01 9b 01 9d 01 9f 01 a1 01 a3 01 a5 01 a7 01 a9 01 ab 01 ad 01 af 01 b1 01 b3 01 b5 01 b7 01 b9 01 bb 01 bd 01 bf 01 c1 01

Stream Path: \x18496\x17932\x17910\x17458\x16778\x17207\x17522, File Type: data, Stream Size: 480

General
Stream Path:	\x18496\x17932\x17910\x17458\x16778\x17207\x17522
File Type:	data
Stream Size:	480
Entropy:	4.17269583505
Base64 Encoded:	False
Data ASCII:	= . A . . . . . . . & . ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . A . . . . . A . 3 . 3 . . . . . . . A . 3 . . . . . . . A . 3 . . . . . 3 . . . . . . . . . . . 3 . 3 . 3 . 3 . 3 . 3 . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . Q .
Data Raw:	3d 01 41 01 04 02 12 02 1d 02 26 02 29 02 a6 02 b2 03 be 03 cd 03 d0 03 d2 03 d5 03 d8 03 dd 03 e0 03 e5 03 e7 03 e9 03 eb 03 ed 03 ef 03 f1 03 f3 03 f6 03 f7 03 f9 03 fb 03 fd 03 ff 03 01 04 03 04 05 04 07 04 0a 04 0c 04 0d 04 0e 04 0f 04 01 81 01 80 01 80 01 ac 01 80 01 ad 01 ac 33 80 01 80 41 80 01 8c 01 80 41 81 33 80 33 80 13 80 01 80 01 80 41 80 33 80 01 80 01 84 01 84 41 80

Stream Path: \x18496\x17998\x17512\x15799\x17636\x17203\x17073, File Type: data, Stream Size: 128

General
Stream Path:	\x18496\x17998\x17512\x15799\x17636\x17203\x17073
File Type:	data
Stream Size:	128
Entropy:	4.21298288211
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . 9 . m . 9 . . . . . . . . . . . ! . # . % . % . * . , . 9 . . . 9 . m . 9 . . . . . . . . . . . . . . . . . . . . . . . _ . . . _ . _ . _ . . . . . . . . . . . . . . . _ . . . _ . _ .
Data Raw:	a4 02 a4 02 aa 02 aa 02 f8 02 f8 02 fc 02 11 03 1b 03 1b 03 1b 03 1b 03 1b 03 1b 03 1b 03 1b 03 39 00 f9 02 39 00 6d 03 39 00 f9 02 01 03 01 03 cb 01 1f 03 21 03 23 03 25 03 25 03 2a 03 2c 03 39 00 96 06 39 00 6d 03 39 00 96 06 98 06 98 06 99 06 99 06 99 06 9e 06 9d 06 9e 06 9c 06 9b 06 5f 00 97 06 5f 00 5f 00 5f 00 97 06 98 06 98 06 9a 06 9a 06 9a 06 9f 06 5f 00 9f 06 5f 00 5f 00

Target ID:	0
Start time:	18:49:20
Start date:	23/02/2022
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi"
Imagebase:	0x7ff6544f0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	18:49:21
Start date:	23/02/2022
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\msiexec.exe /V
Imagebase:	0x7ff6544f0000
File size:	66048 bytes
MD5 hash:	4767B71A318E201188A0D0A420C8B608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	18:49:22
Start date:	23/02/2022
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
Imagebase:	0x12e0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	7
Start time:	18:49:35
Start date:	23/02/2022
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
Imagebase:	0x12e0000
File size:	59904 bytes
MD5 hash:	12C17B5A5C2A7B97342C362CA467E9A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	18:49:40
Start date:	23/02/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Imagebase:	0x900000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	9
Start time:	18:49:41
Start date:	23/02/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	20
Start time:	18:51:21
Start date:	23/02/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Imagebase:	0x900000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Function 008755B8 Relevance: 8.3, Strings: 6, Instructions: 754COMMON

Download Yara Rule

Strings

`oXk, xrefs: 00875B6E
=i, xrefs: 008756A0
`oXk, xrefs: 00875CB2
`oXk, xrefs: 00875D11
Gi, xrefs: 008756BE
`oXk, xrefs: 00875BC5

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: =i$Gi$`oXk$`oXk$`oXk$`oXk
API String ID: 0-2097816857
Opcode ID: 6518449cfdce49913a7f5df52d6ff8ea5d00c0330476f973a3658145d0467016
Instruction ID: 7278f908cb730e54d1f4696c2c1b0276c6c91f4bd31974fed0cb14e44da7c53d
Opcode Fuzzy Hash: 6518449cfdce49913a7f5df52d6ff8ea5d00c0330476f973a3658145d0467016
Instruction Fuzzy Hash: CF529934B006098FCB14DBA4C988AAEB7E2FF88314F158969D50ADB394DB74ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00874080 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92471432618c4031e39ba860af5f282cde7d7a06a53b3a4c84ea1bd5981c90b2
Instruction ID: fa6bbc9b464cb483caf97d1a0bc9dc85725a88e9227d367ccfe97199a6ebe284
Opcode Fuzzy Hash: 92471432618c4031e39ba860af5f282cde7d7a06a53b3a4c84ea1bd5981c90b2
Instruction Fuzzy Hash: ED524E75A002189FCB15DFA8C880B9EB7F2FF89304F1181A9D509AB395DB31AD85CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00883430 Relevance: 2.8, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

`oXk, xrefs: 008834E5
`oXk, xrefs: 0088354A

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: `oXk$`oXk
API String ID: 0-625402370
Opcode ID: 972a870737502c351c3a4fbb543e85b0e9e32a9be25498100b453bc96d61bebf
Instruction ID: 450399b41536e66f839a5bb59f6c7e806720ada5d1f865f3096c5d8b2bc058b8
Opcode Fuzzy Hash: 972a870737502c351c3a4fbb543e85b0e9e32a9be25498100b453bc96d61bebf
Instruction Fuzzy Hash: D6A1EC306043868FC714EF34C588A9ABBB2FF81318F0589A9D5458F766DB34ED46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008816B8 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

`oXk, xrefs: 0088186F
`oXk, xrefs: 00881774

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: `oXk$`oXk
API String ID: 0-625402370
Opcode ID: d10b8d097b60475b3b022cb0a3689b1029aabde3c0d662ff64cdcc4d01c523a5
Instruction ID: aa19a5dc4673d141791d45e75d434e586f406d722c08a94d5d33938a52a505c1
Opcode Fuzzy Hash: d10b8d097b60475b3b022cb0a3689b1029aabde3c0d662ff64cdcc4d01c523a5
Instruction Fuzzy Hash: 2B812534A11209DFCB14EF68D589A9AB7F6FF48314F2185A8E505AB361DB34ED46CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00880A2C Relevance: 2.7, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

`oXk, xrefs: 00880AB8
`oXk, xrefs: 00880A51

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: `oXk$`oXk
API String ID: 0-625402370
Opcode ID: 83f3cd93c7642ce0cfcb911255f6ae88993397f6a50930a874ae9ac76303fd07
Instruction ID: 2cf824ba97ca74fd8a0a5a583a6b51df75018d98df11f4021ca74dc73808df13
Opcode Fuzzy Hash: 83f3cd93c7642ce0cfcb911255f6ae88993397f6a50930a874ae9ac76303fd07
Instruction Fuzzy Hash: 18610530A01248DFDB58EF60C194A99B7B2FF88368F1189A8D5069F3A5CB35ED49CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0087F199 Relevance: 2.6, Strings: 2, Instructions: 61COMMON

Download Yara Rule

Strings

*, xrefs: 0087F1C5
sl^, xrefs: 0087F1E2

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: *$sl^
API String ID: 0-2781311444
Opcode ID: d1cafdbd6c19d1d781d386c5bcb4574d870303838613368af4e22672cfe89109
Instruction ID: 8d56598d3e0f842782cd0bb071f7789f463a38bc759b4ffa26a178de25319cc8
Opcode Fuzzy Hash: d1cafdbd6c19d1d781d386c5bcb4574d870303838613368af4e22672cfe89109
Instruction Fuzzy Hash: F81125366043158FCB05DB65EC808AFB7B9FF89264700847AE919C7241DB30DC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087F1A8 Relevance: 2.5, Strings: 2, Instructions: 36COMMON

Download Yara Rule

Strings

*, xrefs: 0087F1C5
sl^, xrefs: 0087F1E2

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: *$sl^
API String ID: 0-2781311444
Opcode ID: 66b6522ebbb75cccaf36ffeadfba32ebe791b0ff246e141b8f47439bbd5ded23
Instruction ID: f5812bfe1607a90015493d202fa98e5dd5cb62951269e4281bdcf42923dd3cc2
Opcode Fuzzy Hash: 66b6522ebbb75cccaf36ffeadfba32ebe791b0ff246e141b8f47439bbd5ded23
Instruction Fuzzy Hash: E5F0E2762047285F8B18EB6AAC8486F77EAEFC8264340853AE519C7341DA70EC048BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00885548 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

`oXk, xrefs: 00885A02

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: `oXk
API String ID: 0-4058762126
Opcode ID: bb4f795f81671cc6b737913509b34915e00ad910b902daf6317acd1b1e16f21b
Instruction ID: 45d9ae2b9594b9a3379e7372761cf11889e32148bf3af5e53c68646a1b844754
Opcode Fuzzy Hash: bb4f795f81671cc6b737913509b34915e00ad910b902daf6317acd1b1e16f21b
Instruction Fuzzy Hash: 2DE19734B006048FDB14EFA8D994AAAB7F6FF88314F148929D50ACB791DB31EC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008700E8 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

]j, xrefs: 00870270

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: ]j
API String ID: 0-2112577400
Opcode ID: b6de3a5bdda724a44053f186b2b1745241575f4594bf1fd5d2e66a55dbb7c3d6
Instruction ID: 64810be081d09ced8e73b231cd4fc6bb43e068045336c4c255443aeef7d27874
Opcode Fuzzy Hash: b6de3a5bdda724a44053f186b2b1745241575f4594bf1fd5d2e66a55dbb7c3d6
Instruction Fuzzy Hash: DA91CC31B14205CBDB259F68D498AAA77A6FBC4314F16C42AE90ACB395DF34DC41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 008782F0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

=i, xrefs: 008783B9

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: =i
API String ID: 0-504481691
Opcode ID: 75623eb4baf121f84b2db4c97a176089b8121eff25fa63916eb1c1cea0a68033
Instruction ID: 22c5e7474abb8b3812d52522c245de0e97d6c2f4a1132d2252836a1f99afcc0a
Opcode Fuzzy Hash: 75623eb4baf121f84b2db4c97a176089b8121eff25fa63916eb1c1cea0a68033
Instruction Fuzzy Hash: F5518B753447018FCB24AF68D49896E77A6FFC8714B118929DA0ACB3A5DF70EC058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0088B468 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

`oXk, xrefs: 0088B4F5

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: `oXk
API String ID: 0-4058762126
Opcode ID: 7ed4df7a04a60b2e426abce17190ac0a31ca1b9256738c69f631431fc206b55a
Instruction ID: 999119ac24937a2ffecce57822871b2d85f70418553290e6b1ae15b256193d48
Opcode Fuzzy Hash: 7ed4df7a04a60b2e426abce17190ac0a31ca1b9256738c69f631431fc206b55a
Instruction Fuzzy Hash: BD514735A002149FD714EF68D498BADB7B2FF88310F158469E816AB3A1DB35EC44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0088B459 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

`oXk, xrefs: 0088B4F5

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: `oXk
API String ID: 0-4058762126
Opcode ID: f76a19b91a25c13bbcc9bca66763ae18e918a83b423470de71a8e9fdbc8a6c2e
Instruction ID: a2de5d0baddedabf00aa6d789ebb3db814aef121776b9be51fca8b4e141bbea1
Opcode Fuzzy Hash: f76a19b91a25c13bbcc9bca66763ae18e918a83b423470de71a8e9fdbc8a6c2e
Instruction Fuzzy Hash: DE514574A10204DFDB04EF68D494BADBBB2FF89314F1584A9E815AB3A1DB35AC45CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00884CA0 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

N, xrefs: 00884D19

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1161386698
Opcode ID: 44c544cc4fd6f736b5836eebcc7ddc376be32abaf370b0fa27138e937b0de3d6
Instruction ID: 6374e3d5f2525b3021fa3ccfdc5f9359430cc52140afa51df494494378b41122
Opcode Fuzzy Hash: 44c544cc4fd6f736b5836eebcc7ddc376be32abaf370b0fa27138e937b0de3d6
Instruction Fuzzy Hash: 3541C172B001168FDB04EFA9C9496BEBBB6FF84314F1485A9D505DB291CB78CD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00881961 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

`oXk, xrefs: 008819C5

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: `oXk
API String ID: 0-4058762126
Opcode ID: 42896680a829fe9ab3684c2b8073e9b8d6f66908eab87f5d85a22c032482c35b
Instruction ID: e1d4709c2638fa46fc7e1dcae750adcd52f98e4a67402c18341ee37a5ff5f418
Opcode Fuzzy Hash: 42896680a829fe9ab3684c2b8073e9b8d6f66908eab87f5d85a22c032482c35b
Instruction Fuzzy Hash: 5B410034A042498FCB08DF68C288A9AB7F2FF48314F118998D901AB765CB71ED45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00881970 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

`oXk, xrefs: 008819C5

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID: `oXk
API String ID: 0-4058762126
Opcode ID: c28a4c44026407e8860309a3fc54949936e189b349e8531c5cbc41de6b957e22
Instruction ID: 17185ce80df0d1904c48084c3ce63b9009b4c941cc270352fbd7799d0962a593
Opcode Fuzzy Hash: c28a4c44026407e8860309a3fc54949936e189b349e8531c5cbc41de6b957e22
Instruction Fuzzy Hash: BB41D034A002598FCB18DF68C688A9AB7F2FF48314F118998E901AB761DB71FD45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0088A1C1 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1997a33df2e17946f29a86542e9096ed02e36ca5ced097572cb4a605dd56dc18
Instruction ID: aef1eea35b60e97832878c6a5899af5c1a971f5359114dd24a61f6c7712fa4ca
Opcode Fuzzy Hash: 1997a33df2e17946f29a86542e9096ed02e36ca5ced097572cb4a605dd56dc18
Instruction Fuzzy Hash: D1D11974A002059FDB14DFA4C598AAEBBF2FF88314F158469E9199B3A5CB34EC41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00886D08 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53b22767c4342a6a98ac82df8f2132214d109eea0e973017b6473a3137ecc970
Instruction ID: 39392fb8cc91abc91c108bd79d662ca3e365499cce9c6cdecd0308023202ddf6
Opcode Fuzzy Hash: 53b22767c4342a6a98ac82df8f2132214d109eea0e973017b6473a3137ecc970
Instruction Fuzzy Hash: 71B17C347046049BD714EB69C894B6EB7A7FB88304F298569E50A9B3C2DF35EC02DF61

Uniqueness

Uniqueness Score: -1.00%

Function 00889D7C Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a9e32cabb8f28e99c87bdab77eb4fc977839ea1b407eedf3327611216cfb34
Instruction ID: 00e3384e85aa52a988c730ded3256a1d2005e91857751ee32a0cb79c815c2bec
Opcode Fuzzy Hash: b9a9e32cabb8f28e99c87bdab77eb4fc977839ea1b407eedf3327611216cfb34
Instruction Fuzzy Hash: B3C11934A00208DFDB14EBA4D598BADBBF2FF88314F158469E506AB7A5CB71AC41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00881B18 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a9f90ffbfa19e0ecb65a6207673060f55a70b1c4bf80ad051bd353281faf96
Instruction ID: bb91261bccee806c0e204eefc39098d695bb5b7dd008c50cebadff9408359b64
Opcode Fuzzy Hash: d0a9f90ffbfa19e0ecb65a6207673060f55a70b1c4bf80ad051bd353281faf96
Instruction Fuzzy Hash: C4A10A74A00609CFDB21EF68C588A99FBB5FF48314F25C559D859AB252EB30ED86CF40

Uniqueness

Uniqueness Score: -1.00%

Function 008837C8 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 010c6fe51c147817bbc9507aff1c62c2171e195d5cc772da154e554db1c90fb6
Instruction ID: 8dec9c71a005ccc97b2bf17f01c8b60068f2895b98b85d03f1f51e659c9e3266
Opcode Fuzzy Hash: 010c6fe51c147817bbc9507aff1c62c2171e195d5cc772da154e554db1c90fb6
Instruction Fuzzy Hash: 5881AF30B042498FCB00EFA9D8949AEBBF2FF89314B15846AD505EB361DB74ED05CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0088FC68 Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1fbbb7a0c83c11688fea8a8c9d4c71f290973080e40189c9ff924c743b86216
Instruction ID: 7c1e918b6f07ef167a05ab6dfb3badbd53cfcd2f3e62de064f82bdbee0087b05
Opcode Fuzzy Hash: e1fbbb7a0c83c11688fea8a8c9d4c71f290973080e40189c9ff924c743b86216
Instruction Fuzzy Hash: E481F774A002498FCB14DF69D588A9DBBF2FF88310B1586A8E505EB3A2DB31ED41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0088DD28 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0557fb7369e34e6a796ba87cc7694d4864e257105731a07adfd38520a6236cae
Instruction ID: 529dd026b0a1586a47d776d53ea38689dc4496b21db63e486d4e6479704d3199
Opcode Fuzzy Hash: 0557fb7369e34e6a796ba87cc7694d4864e257105731a07adfd38520a6236cae
Instruction Fuzzy Hash: 8D41D370B047558FCB14EF78D4989AEBBF2FF89314B018969D54ADB390CB34AC058B91

Uniqueness

Uniqueness Score: -1.00%

Function 0088BC40 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a3de9a20f6189dd04c7d208d4a8ef034efc3050bd8af0ecc86d1af9f9745c4
Instruction ID: 36ca2e3b06a1d9159dd7b7de8715c843921bcd3c781065e22e66a4aa40ba1a91
Opcode Fuzzy Hash: b2a3de9a20f6189dd04c7d208d4a8ef034efc3050bd8af0ecc86d1af9f9745c4
Instruction Fuzzy Hash: B041BF303043449FC715EF74D498A6A77A3FFC5328B018969D646CB7A1DF74AC0A8B91

Uniqueness

Uniqueness Score: -1.00%

Function 0088DEF0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96c978ceecb623c0ea00b0fa167c3cffdbbc63205ed1d483e64f1086dde566e2
Instruction ID: 8d5d762d084af7ccbb1d162b92a1979465c2728d86e1fd59b9b1548ea37a1666
Opcode Fuzzy Hash: 96c978ceecb623c0ea00b0fa167c3cffdbbc63205ed1d483e64f1086dde566e2
Instruction Fuzzy Hash: B1519A30A043998FCB15DBB5D090BAEBFB2BF45314F0848A9E495EB382DB359845CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0088BC32 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305c561e7035d8f29e11e2a5431d9c5e58ed39445b6c7ab4f95c7ca677455e1c
Instruction ID: 17a071231efd9cdb422f93d9bf4a3fe653965a105c226e17568dc703d8c8223d
Opcode Fuzzy Hash: 305c561e7035d8f29e11e2a5431d9c5e58ed39445b6c7ab4f95c7ca677455e1c
Instruction Fuzzy Hash: BD41B3302047489FC714EF74D584A9AB7A2FF84328F01CE68D2568F6A5DB71BD09CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008835F8 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a6289ed111772e595d3df268933f69753fd1c0eb0e20fae2b3d4ec61779203
Instruction ID: 939336769c70bda7c64dc412d2bf525cb7a336dcb16f49b83bf2682607b56648
Opcode Fuzzy Hash: 03a6289ed111772e595d3df268933f69753fd1c0eb0e20fae2b3d4ec61779203
Instruction Fuzzy Hash: CD51DE302057859FC750DF34C188A8ABBF2FF85318B0189A9E9858FB62CB74F945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00882AE7 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7337328a64c9bde9ec97cdcb8778713a462404eac810f56e8de79c4530723c7d
Instruction ID: ff3d8eb43a94325d7ca5d5bdaf38333a4e40603a570547e89f972d11e05fb5d1
Opcode Fuzzy Hash: 7337328a64c9bde9ec97cdcb8778713a462404eac810f56e8de79c4530723c7d
Instruction Fuzzy Hash: 7F411C74A102188FCB09EBB4D558AAE77B2FF88314F114468D905EB391CB399D46DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00888060 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e225610e5271992b313a17745b860699346e8a413793bdde38dbef4e165d93
Instruction ID: 21c5d62e15ea806c73ee46c2440713fec51e01f6c92ae67c8046e22ae074f700
Opcode Fuzzy Hash: d7e225610e5271992b313a17745b860699346e8a413793bdde38dbef4e165d93
Instruction Fuzzy Hash: FA319279B002059FCB14EBA4D8409AEB7E6FBC8314F54843AE616D7340DF319D55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0088B8C0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dcf8a1f8ff56c302b920fa802f7850ec4a10e6629d16e9ee58d0da194631ed2
Instruction ID: 3f4159b1ae9b6e0a2163f72d60bbe5e8eeb25a390e4b600a1b74e474dbededd5
Opcode Fuzzy Hash: 4dcf8a1f8ff56c302b920fa802f7850ec4a10e6629d16e9ee58d0da194631ed2
Instruction Fuzzy Hash: D1418E70A002099FC704EF64D198A6DB7A3FF88324F158928C50AEB791DB74AC45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0088DD0A Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8efc7897ba3e5eabd1a9a3c461b00e8bcd13cf21081c1bd8fe72cb0d54b7fff
Instruction ID: b351d21efbe49b2a6ff6c0eeb0aa13b8c3670148f63a150572c9092f69d1fa25
Opcode Fuzzy Hash: a8efc7897ba3e5eabd1a9a3c461b00e8bcd13cf21081c1bd8fe72cb0d54b7fff
Instruction Fuzzy Hash: C231F870A0439A9FCB01EFB4C49499EBBB1FF89314B058969D545DB351DB30AC45CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00884DF8 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b07aa51731e853dcbe938134ee3a981283ad4ae1052d9381eabae68ea25c4a
Instruction ID: 96292c0b6e9432921910946e77bba1d9662c697ca948393460fa794c8b2575db
Opcode Fuzzy Hash: 78b07aa51731e853dcbe938134ee3a981283ad4ae1052d9381eabae68ea25c4a
Instruction Fuzzy Hash: 1A314631B007499BE715DB68CC40BEFB366EF84304F11C069E1457B6D1DFB4A8868B51

Uniqueness

Uniqueness Score: -1.00%

Function 00884E08 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b650ec02a8b4bc95906c187b6d61c15b83abf1f87ff6cefb9bc85574eb249f
Instruction ID: 15ab68635b25460a27cb5f023d75e59199772669fce893720211555d1d5a059e
Opcode Fuzzy Hash: a8b650ec02a8b4bc95906c187b6d61c15b83abf1f87ff6cefb9bc85574eb249f
Instruction Fuzzy Hash: 41310331A00A499BE7149B69CC407EFB367EF88304F11C529E1056B6C1DFB4A88A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 008785E0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a52e85e1c924abe6831c92813a5f3ad49451326592545de95b63d9eba461068
Instruction ID: 22d27bf81cb80e42c5889d45efcd387bd2304489c30fced0ccc43118e0caddfe
Opcode Fuzzy Hash: 9a52e85e1c924abe6831c92813a5f3ad49451326592545de95b63d9eba461068
Instruction Fuzzy Hash: 5421367AB80A10DFC714CB58E88C92AB7F6FB983247258969E50EC7365DF31EC01CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00878E80 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6fa7c618b9569aacb95bebc1656659a282b5b1a37fbb581f5d15301c1ca70f
Instruction ID: fe4432d414b15835c2729f8626c52e88b9815a24e706aa8a6fd6d112af2431b9
Opcode Fuzzy Hash: 1e6fa7c618b9569aacb95bebc1656659a282b5b1a37fbb581f5d15301c1ca70f
Instruction Fuzzy Hash: 9721FB7AE406258FC714DF58D488D6AB7B5FF887607118664E959DB325CB30EC41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00878500 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36982a307e99da6a4d131dd091dc2a532095637d02474d5c1ac812ef3db57803
Instruction ID: 3b6b71d72ba40231c51aae5440f03a8cfcb57da1b1d82921d728e5e9c0367478
Opcode Fuzzy Hash: 36982a307e99da6a4d131dd091dc2a532095637d02474d5c1ac812ef3db57803
Instruction Fuzzy Hash: 4721397A780610CFC714CF68E88896AB7B6FF887657218969E91AC7325DF31EC01CA50

Uniqueness

Uniqueness Score: -1.00%

Function 0087ECF8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ec7ff961de4dd43b7bc57ec0aaf5a7845f2d3439155189e29ca5714975c84d
Instruction ID: 19132dfc8b625e13da203f27efadbcce77d7ef18a8ff6948315be11a46bf349f
Opcode Fuzzy Hash: 24ec7ff961de4dd43b7bc57ec0aaf5a7845f2d3439155189e29ca5714975c84d
Instruction Fuzzy Hash: 8B216934B002059FCB24DFA8D494A9EBBF6FB88314F14856AD91ADB744DB71ED428BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00883338 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf24d8e8b763c94ea285bceb35ace556d895a9717cf4d0f5bed99c64b86decd
Instruction ID: b3e757c96e6a0bb1ed592a534af075d39b377833c6204d88ad7484c55cc0e07e
Opcode Fuzzy Hash: 3cf24d8e8b763c94ea285bceb35ace556d895a9717cf4d0f5bed99c64b86decd
Instruction Fuzzy Hash: C521AE70A007449FCB21DFA4E448A6EBBF6FF88310F058969E85AD7751DB34AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00882F50 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f2c3b2f49a57a264d43808719e4a7fe9d3a55f79ccff5589bc251ad90675cdc
Instruction ID: 0b89fd63857067f6a5a5ad9c039c7952aa8e5689b5f12832c031bc38e0391ea9
Opcode Fuzzy Hash: 4f2c3b2f49a57a264d43808719e4a7fe9d3a55f79ccff5589bc251ad90675cdc
Instruction Fuzzy Hash: C321A1327042158FCB259F68D8486AFBBF6EF94324B05492AE905CB381DF70DC01CB91

Uniqueness

Uniqueness Score: -1.00%

Function 008792A1 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dee0fde5047252a2b81b9e44d3aa0a7eabf90620c1ca10d80f63c9a7534d571
Instruction ID: 6f928d4f9c26cdfa9ce6ad9bc0919ffd355ff9539b6d3f51528e1f0a322aa4b9
Opcode Fuzzy Hash: 2dee0fde5047252a2b81b9e44d3aa0a7eabf90620c1ca10d80f63c9a7534d571
Instruction Fuzzy Hash: 2911A03514E3C15FC7130B7498256963FA1EF87311F0A80DBE8C8CA197D669889597A1

Uniqueness

Uniqueness Score: -1.00%

Function 00882DF0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8323bf84f9faec0f33b3cc988e5102bfe6d4e9680a6ceb20454207c5505c106
Instruction ID: ba3b1a693d7e4d93efab4f97331aa4272e508a61dacaaadb91ade704dc798925
Opcode Fuzzy Hash: a8323bf84f9faec0f33b3cc988e5102bfe6d4e9680a6ceb20454207c5505c106
Instruction Fuzzy Hash: D2219035B0021A9FCB009FA8D9449AEBBBAFF85315B00843AE905EB341DB31D900CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00883348 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe122d563207403dca75bbfdd61b6f7a7388347d9558e8e98d491fe24ac0ec32
Instruction ID: c44567de56d0df0bafab085c49d52eafd13656386fcfae8cd6be89e8ee5de223
Opcode Fuzzy Hash: fe122d563207403dca75bbfdd61b6f7a7388347d9558e8e98d491fe24ac0ec32
Instruction Fuzzy Hash: 6F216970A007548FCB259B65E448A6EBBF6FF88211F008929E59A93790DB34AD058B91

Uniqueness

Uniqueness Score: -1.00%

Function 00878800 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c25e5da43bdc2bb4b44280df44c82b1a91fc846b4cd6d2a84543a95241d1e5e
Instruction ID: aa407bcaaca52f34a4914c6b0b9fc684f06649eb3ca497485973e83045443b58
Opcode Fuzzy Hash: 2c25e5da43bdc2bb4b44280df44c82b1a91fc846b4cd6d2a84543a95241d1e5e
Instruction Fuzzy Hash: 64116AB57406148FD714DF59E8C892AB3F9FF98720B108569E90AC7325DB71EC01CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00870A40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85a95dc98a6b2c6e73824d4e886bd979ddf3813408db6d1ef0ec28f382a4f02
Instruction ID: ee4ba5b716a5f1a236cd734b4fcc0e2ee268837a0f69e8569b8a26bfc3bf3bf5
Opcode Fuzzy Hash: a85a95dc98a6b2c6e73824d4e886bd979ddf3813408db6d1ef0ec28f382a4f02
Instruction Fuzzy Hash: 2E219D70B002299FCB14DF68D8848AFB7E6FBC8310B508529E919D7354DB309D00CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00889110 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e94082cfd6dafd55e200ba4c1e6b08289aeb18d537c98be84105c02a967ec51
Instruction ID: c4e73449aa64df1aca46531eb4895c13e37622ab90dfdd339862318493d0ab65
Opcode Fuzzy Hash: 9e94082cfd6dafd55e200ba4c1e6b08289aeb18d537c98be84105c02a967ec51
Instruction Fuzzy Hash: BF21E6B59002599FCB10CF99D888BEEBBF4FF49324F04841AE959A7350D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00879E41 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be9d29a4d8ac94ac90ace3af8497b4bd812121c2c2fed8c2636a13a089edec6
Instruction ID: 56a643552c3c50f036d33d88520bc8cbfeb12d8f9450c00da459a31c5d9f9710
Opcode Fuzzy Hash: 3be9d29a4d8ac94ac90ace3af8497b4bd812121c2c2fed8c2636a13a089edec6
Instruction Fuzzy Hash: 4C01C83514D7C29FC3071B74A8212853FB0AE4326434A44D7E488CF5A3DA699C259B72

Uniqueness

Uniqueness Score: -1.00%

Function 00889118 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6e758d8077150c3d64a3f71246b35c9d8fcb2c1d0caf21d9ebbd87be561676
Instruction ID: b463d7a8b2d94cc75ee3eee1d4afbc16fd28fade27e4b363654e5214c92a7035
Opcode Fuzzy Hash: 3c6e758d8077150c3d64a3f71246b35c9d8fcb2c1d0caf21d9ebbd87be561676
Instruction Fuzzy Hash: 9321F3B59002599FCB10CF9AD888BDEBBF4FB49324F00842AE959A7250D774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00879310 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99b7500daa47f7ddd2ac8fed83952a84d69f29b77371cb6c0acd7bad399d9c79
Instruction ID: 4be238e8c8e712f411f861d70d80054a970572748fdee3b595a24ea17c05fed9
Opcode Fuzzy Hash: 99b7500daa47f7ddd2ac8fed83952a84d69f29b77371cb6c0acd7bad399d9c79
Instruction Fuzzy Hash: 0B010C32B0612487DB611549A004ABEB786FBD0B22B28C43BEDCCC628CDA30CC1297A0

Uniqueness

Uniqueness Score: -1.00%

Function 00883420 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71ee5d264a4643493fc99004765bce456e394530ee54efa8a8130b73947ac87e
Instruction ID: aa5d0a6d157f83d581ae4cdbf2015541f9de76837ddbf5b347a9de6e290d4c66
Opcode Fuzzy Hash: 71ee5d264a4643493fc99004765bce456e394530ee54efa8a8130b73947ac87e
Instruction Fuzzy Hash: 461157316003448FD721AB60D408BAABBE2FF80718F0885AAD409CF281CB39DD06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00882EAF Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4e2db382f756fbb4ddf976eddfa07277330af10898ec4862ff84a21b0c6ef0e
Instruction ID: 9bef1011dbdaf04ac5454f1eff2fcd99c2a80f5b94994cd8ba67a2cd06b925d2
Opcode Fuzzy Hash: a4e2db382f756fbb4ddf976eddfa07277330af10898ec4862ff84a21b0c6ef0e
Instruction Fuzzy Hash: A811EC702057919FD326AB71D854A2B7BFAEF86304B40446EE542CB781EB39EC01CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0088BA20 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1449c7423a3bda1e33007c7bfd4e6ee2844f41303ddb4e8c34bc6a4cea08d080
Instruction ID: 043ca34df7c9945f134b471077d5b400d1b9a59abe80ac86abb538a43557b909
Opcode Fuzzy Hash: 1449c7423a3bda1e33007c7bfd4e6ee2844f41303ddb4e8c34bc6a4cea08d080
Instruction Fuzzy Hash: C321A231909255CFCB15EB64C9187DE7FB1FF89304F1409AAC042E7692DB794D05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00870A30 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bb78da89394ab283361d020486c6f2516535dc9a6a9eb94376231e41c877f20
Instruction ID: 117138164ee5d252df19410cf29a31ff4ca14553ad2df10fd4f5c5886b15da3a
Opcode Fuzzy Hash: 4bb78da89394ab283361d020486c6f2516535dc9a6a9eb94376231e41c877f20
Instruction Fuzzy Hash: 1011E175A00368EFCB10DF69DC408AFBBBAFBC9310B14856AE819C7252C7309D04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00885539 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2bdbd83ed98064e4dfb0cf251c7856bcd44c7617647d1498ce8f7eb5a1d106c
Instruction ID: 673bd5a39c6f01dbaa915cb5035e1d888c977d1b37bf84363b91bb49537e4b71
Opcode Fuzzy Hash: d2bdbd83ed98064e4dfb0cf251c7856bcd44c7617647d1498ce8f7eb5a1d106c
Instruction Fuzzy Hash: 9D118E35B042045BDB08DBA4D8906DFBBBAEF85311F1184B9E506A7781DF32AC028FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00878B60 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dba25be6ad0c6de50242eca84bb269452e21bf6357bb7834c1bc542618bf06f3
Instruction ID: 6e0a9cc07c6200186bdc60a7fb958360511464cf33bd5b8f1100191dd5264d82
Opcode Fuzzy Hash: dba25be6ad0c6de50242eca84bb269452e21bf6357bb7834c1bc542618bf06f3
Instruction Fuzzy Hash: A2018F717805208F8B149A2ED848D6AB7EBEFE9A35324856AE109CB334DE70DC028781

Uniqueness

Uniqueness Score: -1.00%

Function 0087F4B3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d109487f9dd8fb5cc2ce7821d5da3bdfb1c46a05b9c48ddb2b58b7091f3c9f4
Instruction ID: 72eb8bdbe55c28236c75fa550d7e6c36f2abb216f571741e4b9a144447608bc1
Opcode Fuzzy Hash: 0d109487f9dd8fb5cc2ce7821d5da3bdfb1c46a05b9c48ddb2b58b7091f3c9f4
Instruction Fuzzy Hash: 3C11A031E0434E9BCF15CFA5D8505DEBBB2FF85304F10452AE902AB245DBB099498B80

Uniqueness

Uniqueness Score: -1.00%

Function 00882EC0 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5f408d69a17dae47e24d19f265a8ba4a060610c6dfaf83c52a9fe56a05795b
Instruction ID: 91961fb4029840b3f97b92fb02a182ed6ca33a615d5f7c79e65c24e7d6a7b318
Opcode Fuzzy Hash: db5f408d69a17dae47e24d19f265a8ba4a060610c6dfaf83c52a9fe56a05795b
Instruction Fuzzy Hash: B7018C747116219FD724AB65D854A2BB7FAFBC8715B40442EE242C7B80DB39EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0087F4B8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a93be7aaab90ba55d6e7fdf63fda8583d69ee6338c3c0e1e0a15bb5463ee83
Instruction ID: 10745ff9516fdffe5d0eacf7cca30be157a3591a133dfd9a70e011a16a7b8263
Opcode Fuzzy Hash: 49a93be7aaab90ba55d6e7fdf63fda8583d69ee6338c3c0e1e0a15bb5463ee83
Instruction Fuzzy Hash: B8118E71E1431E9BCF08CFA5D8505DEBBB2FF85304F10852AE901AB345DB70A9498B90

Uniqueness

Uniqueness Score: -1.00%

Function 0088B242 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6b247eeb836ad14b8b2df31861e4835e9b21dca901eb2ac24094ab7322d58f
Instruction ID: 6647b79fed39ba3894fcbea481c43f4807ad2825638e6c72a040090c492b8e4a
Opcode Fuzzy Hash: 0a6b247eeb836ad14b8b2df31861e4835e9b21dca901eb2ac24094ab7322d58f
Instruction Fuzzy Hash: 52212934A00209CFCB05DFA4D598E9D7BB2FF88324F159569D505AB3A1DB35E881CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0087D548 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 577c4731d1273776df02409f972280127c8cf7d99b711b642192387a6399249b
Instruction ID: d59863af0eebd532983be9b91987795371cdd4fd93cf6be233ae91c165a191f0
Opcode Fuzzy Hash: 577c4731d1273776df02409f972280127c8cf7d99b711b642192387a6399249b
Instruction Fuzzy Hash: 4701D4317093518FC7028B68D55455AFBB1EFC632071A81EBD808CB2A2CB748C06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0088FDEC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb25317eeb833a83dfe859985b13418b80ae189ca319ff9bde5f4f3573d42ccf
Instruction ID: a57feef2da30ff0ff45b42dfdc39cdc834cd5def7c0fc1733651cd2988de21ce
Opcode Fuzzy Hash: fb25317eeb833a83dfe859985b13418b80ae189ca319ff9bde5f4f3573d42ccf
Instruction Fuzzy Hash: 1811F834A002498FC710DF64D64898DB7F1FF48324B254BA4D559EB3A1CB31ED42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00882DE1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a86c97b80622317cd51d64a88caaed689b75070e1a247366506f3b86626f0c1
Instruction ID: 5c1054799b0933ce4cecfdf061f94d0b826a402f50f416e77e093e1807411b57
Opcode Fuzzy Hash: 7a86c97b80622317cd51d64a88caaed689b75070e1a247366506f3b86626f0c1
Instruction Fuzzy Hash: 4A018F35A043169FDB12AFA9985099ABBF4FF06350B00407AEC14CB212E734D900CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00878AC8 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 494d3a0ef635b987e1fb6597f13d00944560103cbf1b7ad16ba3313e6868d8aa
Instruction ID: e3e9cd7cf4fd76651a8b85e4b15686a3d9fa5ef837396527c619f2fb27e380f2
Opcode Fuzzy Hash: 494d3a0ef635b987e1fb6597f13d00944560103cbf1b7ad16ba3313e6868d8aa
Instruction Fuzzy Hash: D0F062757405208FC614DA1ED444D1AF3EEEFD8A21715406AF149CB374DE61DC02C790

Uniqueness

Uniqueness Score: -1.00%

Function 00879C60 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208561ef3a2e3f47f37e404f07a33c4eaa3fbc85c59e76f1795217c322301329
Instruction ID: ca87e87a8f48a21be4575f902dacf237a90ac83fee1ac384b489f16f553a26d3
Opcode Fuzzy Hash: 208561ef3a2e3f47f37e404f07a33c4eaa3fbc85c59e76f1795217c322301329
Instruction Fuzzy Hash: D6F08235B005204BCA14A62FE554D2AF3EFEFD8A31725C07AE589CB338DE71DC028694

Uniqueness

Uniqueness Score: -1.00%

Function 00882BF0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c2027d6bb3df3753f39b253bfdd1802a37b65070aba190ba9be2ae8af4f6fa5
Instruction ID: 021cf7ca2ebce06a2b5094eabdf9d06cc75f5790e2500dd330698c595ab9dd18
Opcode Fuzzy Hash: 5c2027d6bb3df3753f39b253bfdd1802a37b65070aba190ba9be2ae8af4f6fa5
Instruction Fuzzy Hash: C7019775A102198FCB04EF64C9589DEB7B2FF4C314F110959E801AB361CB7AAD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087A901 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff1629f05831a14d7aacccb06622f439eb1e96822703db9041658905976bab45
Instruction ID: 64b59ee8a1cf5b932b3ec580406b0fcb454202dc7823d7d54388a6ddec241133
Opcode Fuzzy Hash: ff1629f05831a14d7aacccb06622f439eb1e96822703db9041658905976bab45
Instruction Fuzzy Hash: 42F0F86508E7C29FC3034B3898226863FB0AE43120B0F01EBD884CF5A3D66D4C1ADB72

Uniqueness

Uniqueness Score: -1.00%

Function 00884C90 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f1b1c990b05076a35e07fbb8e462f4ab94dbb3357c3d7c8c13633c68a4f078
Instruction ID: 85a76a6ba672d210f86c85b20dc1b6c413153bf8edc882d689099ec00cace25d
Opcode Fuzzy Hash: 48f1b1c990b05076a35e07fbb8e462f4ab94dbb3357c3d7c8c13633c68a4f078
Instruction Fuzzy Hash: B5F046322021C29BE715B73AC849BE57F5AFF42308F0800A9E000C7592CB7C9C94CB61

Uniqueness

Uniqueness Score: -1.00%

Function 008786C8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ff632a567cb5fe93c77831412355806db601a37abe692d1b6a5088195327c88
Instruction ID: 91112f6f79f2afcd47d149147581170ada66ba2e165c5a8344fe6384d19f70d9
Opcode Fuzzy Hash: 7ff632a567cb5fe93c77831412355806db601a37abe692d1b6a5088195327c88
Instruction Fuzzy Hash: 12F0E5363400204FCA04A61EE448D6AF3EFEFD8A61714406AF24DCB330DEA1DC028794

Uniqueness

Uniqueness Score: -1.00%

Function 00878AB7 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8769a3f4933edae23fe1e32e183d3e2f902540d8d2c1dcabf06850a3f944c73
Instruction ID: fea2c3a622f143399986b73a62755398dc5357fef2375b9e9e205f0af426fddd
Opcode Fuzzy Hash: d8769a3f4933edae23fe1e32e183d3e2f902540d8d2c1dcabf06850a3f944c73
Instruction Fuzzy Hash: 3EF0A0353493905FC712563AA419A56BBE9EFC3A20B1900EFF444CB2A2DE91CC0583A1

Uniqueness

Uniqueness Score: -1.00%

Function 00879301 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2dc61ee0ec5614ea613107d76bd9bfc6c9bbf15dd7f7038dea216f2f8b1b5b
Instruction ID: 8fda924604c2631ffdd84aa5444b88d44deb560fe3f8e10574315cf63dfff8ec
Opcode Fuzzy Hash: fd2dc61ee0ec5614ea613107d76bd9bfc6c9bbf15dd7f7038dea216f2f8b1b5b
Instruction Fuzzy Hash: 31F0A73514D2955BC723066858146A9BF6AEBC2321F09C0ABE8CCCA186D9358C5497B1

Uniqueness

Uniqueness Score: -1.00%

Function 00879EC0 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab18df5f29a5f9e02cc68fc521d04742f10534d1d9295bfa23195b3159d8f2fb
Instruction ID: 92d8bf23c8f9fc4b40c1a7d0cc73400cdbdeb8abe24d3a78ae2d3abff5ebb373
Opcode Fuzzy Hash: ab18df5f29a5f9e02cc68fc521d04742f10534d1d9295bfa23195b3159d8f2fb
Instruction Fuzzy Hash: EEE01A3405D7C28FC3070B74A8222913FB4EE0322074B00D7E848CF8A3DB695C259BB2

Uniqueness

Uniqueness Score: -1.00%

Function 00878A50 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc116c5cd1cea04e614766060eb91aea29438e267671ddba3f45511072dee1c0
Instruction ID: f7f6bb29f55c34664faf10f4ef9a72d21aba72852436d13dda6dcea64a502fe0
Opcode Fuzzy Hash: fc116c5cd1cea04e614766060eb91aea29438e267671ddba3f45511072dee1c0
Instruction Fuzzy Hash: 29E065763001145BCB28EA1DE494DAEB7EAEFCC621715055AE509C3720CE60DC024791

Uniqueness

Uniqueness Score: -1.00%

Function 008785D1 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf60dd0c528a97b172661de000a2834455336068bef27c81c5f01edcae29056c
Instruction ID: 8efe791c62b5d39ab4bbfc68ea41dfe0a013e8789998bfa8effec7fa252647f7
Opcode Fuzzy Hash: cf60dd0c528a97b172661de000a2834455336068bef27c81c5f01edcae29056c
Instruction Fuzzy Hash: 29F0A072A44224AFC710CA99E848ADA7BA9FB88630F114026E40883211CB319C41C790

Uniqueness

Uniqueness Score: -1.00%

Function 00878B51 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96115f67164d532a28b0d40ffb597d2d9b00201c985de1502ce1ea805c4a62f
Instruction ID: 8bc1382c1369f0dd094c0cc5e5f490e98cff074691ba6316a1382e17f49e5df2
Opcode Fuzzy Hash: f96115f67164d532a28b0d40ffb597d2d9b00201c985de1502ce1ea805c4a62f
Instruction Fuzzy Hash: 0CE0D83274C3904FC315522DA81495ABFEACFD7531B18049FE084CB3A2DC91DC0143A6

Uniqueness

Uniqueness Score: -1.00%

Function 00879C50 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 162ed66f5365d65e1bd1209dfd6ac54f91fcd22e1ebfa1a3a6f4479d536f5f83
Instruction ID: 14b29256e5c0d937910264d5d502001f794ef945c24736df4798339b606eb1e1
Opcode Fuzzy Hash: 162ed66f5365d65e1bd1209dfd6ac54f91fcd22e1ebfa1a3a6f4479d536f5f83
Instruction Fuzzy Hash: 5FE0D8313096900FC702523D941896ABFEADFD663071A44FFF085CB376C964CC018351

Uniqueness

Uniqueness Score: -1.00%

Function 00878731 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 477e1ecc856204f6afb683256c516b22519abc15ff87fb96740f24bbafedc27b
Instruction ID: b62974fdcd3d248c4321a05ab5119f157329f58fd309e4b46477b61c2b6bed3d
Opcode Fuzzy Hash: 477e1ecc856204f6afb683256c516b22519abc15ff87fb96740f24bbafedc27b
Instruction Fuzzy Hash: D0E0DF313400189BC718991DA448AAA73DEEFC4631B248027E509C3320CEA4CC4287A0

Uniqueness

Uniqueness Score: -1.00%

Function 0088290F Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e0a031641e88f9915312fcf67dd6dcf69355416e99c20898dc32b713a94c67
Instruction ID: e512ff2fec2c32a60fed686359762001b38f6cbfba8d72ef144462ffcf48191e
Opcode Fuzzy Hash: c6e0a031641e88f9915312fcf67dd6dcf69355416e99c20898dc32b713a94c67
Instruction Fuzzy Hash: 76E0DF303052804FC7425BB8D020AD93BB68F8721070500EAD486CF762CA2A8C068FB2

Uniqueness

Uniqueness Score: -1.00%

Function 00878A60 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96099391a7cba8ec2c1c3169fbcac40108735479c1ff934bff07932624fd9d7d
Instruction ID: c9138febcfbbcb9194c2b855afd5282d9c1f306e39d720daadfa291172f2f814
Opcode Fuzzy Hash: 96099391a7cba8ec2c1c3169fbcac40108735479c1ff934bff07932624fd9d7d
Instruction Fuzzy Hash: 0DE086363101205B4B18EA5DE444C3BB3EF9FCC621314426EF14DC3320CE60DC0547A0

Uniqueness

Uniqueness Score: -1.00%

Function 0087D589 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58e9b1b8438f22666be70963c0a45c33ec116bbbb4f0ca10511755742520be48
Instruction ID: 280413d03721855d3576721a19edb7bafd24c50dc1c920d5626ebb165cfad56b
Opcode Fuzzy Hash: 58e9b1b8438f22666be70963c0a45c33ec116bbbb4f0ca10511755742520be48
Instruction Fuzzy Hash: FEE0C231384A104FD3020768681876B7A96DFD5722F1A406BFC08C72A2DE748C0256A1

Uniqueness

Uniqueness Score: -1.00%

Function 00878740 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 270136dea4a7a9cddca302078102bcdcd9a02617aa65a02636adc26356dfe181
Instruction ID: 8f28042edc0925a733f176ba0eb2d6532bf11b917963f43b633d8b8cf368300e
Opcode Fuzzy Hash: 270136dea4a7a9cddca302078102bcdcd9a02617aa65a02636adc26356dfe181
Instruction Fuzzy Hash: 71D05E323600249B4748A51EA848C7BB7DFEFC9A713358467F50EC7334DDA1DC0142A5

Uniqueness

Uniqueness Score: -1.00%

Function 00882920 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3420ed44337f0c2bfa034e7684ec697ba9f359f97226d1fcaf4ae95d828316ad
Instruction ID: 754848962259f38a41c925d4d8e8ebd574f618695d1398b4c9bacc8277b466dc
Opcode Fuzzy Hash: 3420ed44337f0c2bfa034e7684ec697ba9f359f97226d1fcaf4ae95d828316ad
Instruction Fuzzy Hash: 15D0A7307010105B8614A7B8E054C9D37EA8FC6614B8040A9D006DFB50CE29EC004FEA

Uniqueness

Uniqueness Score: -1.00%

Function 0087D598 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07328a8cccab1cd0501786f46aa045da03213832844d6576d433514ef2eac0f
Instruction ID: 2522b85ebdbd1fbd82a8aa9fb73f43a638ccb17323518dd8325d7c892aaf541e
Opcode Fuzzy Hash: e07328a8cccab1cd0501786f46aa045da03213832844d6576d433514ef2eac0f
Instruction Fuzzy Hash: A7D0A932300520178214129E7808A6BB68ECBC8A21F04402BE909C3382CEA48C0206E6

Uniqueness

Uniqueness Score: -1.00%

Function 0088DEB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1aa6e27077eca98e1932e62cdfaadcd11fdc1b34f236e08e0351e9abe825a2e
Instruction ID: a7df6d17acc496ea490c26f03b6ec686933dd9e07dfddc01dd519157985269da
Opcode Fuzzy Hash: e1aa6e27077eca98e1932e62cdfaadcd11fdc1b34f236e08e0351e9abe825a2e
Instruction Fuzzy Hash: A5D05E3161EB608FD7318724E4051A67BF4BB56621F04489FE88283E81DB64AC4487D2

Uniqueness

Uniqueness Score: -1.00%

Function 0087A121 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c18d0b2853deff5029e27d25837490861d2d1718f2f9cbae79764709ca9b4e2
Instruction ID: 9d05c0e99fc8eb41b9bfef78ca2c4e1a61cebc9276db19b11c3a7594026891b8
Opcode Fuzzy Hash: 0c18d0b2853deff5029e27d25837490861d2d1718f2f9cbae79764709ca9b4e2
Instruction Fuzzy Hash: 6ED0C9304893C59FC75316B464593453FA85F43120F0945E7D0488B053DAAC49599BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00884A51 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a7e3cc5f8c8343c89b50ff2a1191663cf33354d33b1a3d5aef9e74046f4938
Instruction ID: c7766150a3a96addd9fbde622f0fec7c64261697c83b1dbd09394a8ace7de476
Opcode Fuzzy Hash: 48a7e3cc5f8c8343c89b50ff2a1191663cf33354d33b1a3d5aef9e74046f4938
Instruction Fuzzy Hash: 8EC04C1501E3D04DCB03EBB444B15D23F755D2B24130D64C7C1D18B163C6101516FB72

Uniqueness

Uniqueness Score: -1.00%

Function 0087A960 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd0511d8f0e4baa3891775cc64cf5a3a36e32de665c9f22c7de44966b457b23
Instruction ID: 488590537df40888ee54ea8b2cc3d2c78a78019497258176918ff1e5c16d476e
Opcode Fuzzy Hash: 0bd0511d8f0e4baa3891775cc64cf5a3a36e32de665c9f22c7de44966b457b23
Instruction Fuzzy Hash: 08D0123048D7C48FC343833598645497F306C4301931E49EEC0C6DF567C57A8419CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0087A130 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d50e70fe9f1f429158244b90e4512746944cdae66784aefa1179635063c6751
Instruction ID: f58577de33f4bc6b13dac3e366999a8a348490653920a7e4050d4614644042a9
Opcode Fuzzy Hash: 8d50e70fe9f1f429158244b90e4512746944cdae66784aefa1179635063c6751
Instruction Fuzzy Hash: 52A0223088030C8F832022B03008A88330C80808323808C3AE00E830008FBEE02000C0

Uniqueness

Uniqueness Score: -1.00%

Function 0087A970 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7338efbefa52d62ce5d414de25f79b1b5d9aa11c7bfab11d27b8462581d7a0
Instruction ID: 169c85f48acc98e1fa168d9c27412169f9a3e468bce9f47fabc754d6526c066f
Opcode Fuzzy Hash: ce7338efbefa52d62ce5d414de25f79b1b5d9aa11c7bfab11d27b8462581d7a0
Instruction Fuzzy Hash: 4EA0223088030CCF830022B23008A0CB30C8080800380CC28E00C830028FBAE02008E0

Uniqueness

Uniqueness Score: -1.00%

Function 00879EF0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92790b665ecbade944b875baaad2eb006f5f645ec2383994a1cd40fe796c8279
Instruction ID: 916f22ee0b1928f620940c4f891120e8a3278f1a2c0d8fbbb8bf7d9405d127ca
Opcode Fuzzy Hash: 92790b665ecbade944b875baaad2eb006f5f645ec2383994a1cd40fe796c8279
Instruction Fuzzy Hash: 57A02232CC032C8B820022B03008A08B30C8088A00380CC28E00CC30028F33E02000C0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0087B6B0 Relevance: 5.5, Strings: 4, Instructions: 525COMMON

Download Yara Rule

Strings

XcHl, xrefs: 0087B98F
XcHl, xrefs: 0087BB5C
, xrefs: 0087B79B
XcHl, xrefs: 0087BB68

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: $XcHl$XcHl$XcHl
API String ID: 0-3887131954
Opcode ID: 5b7c7f39c90c2b2f4dc4ee53e91f1f442194e8a7e7f9014ad860d0bd3ca77fed
Instruction ID: 5ad327cfef84a54ebdc4a37809ff958a2ee8f4b6bebbed0092efe9f7b58b5b73
Opcode Fuzzy Hash: 5b7c7f39c90c2b2f4dc4ee53e91f1f442194e8a7e7f9014ad860d0bd3ca77fed
Instruction Fuzzy Hash: A6122734B002188FDB24DB74C594B6EB6A6FF89314F298469D90AEB3A5DF34DC41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00873168 Relevance: 4.7, Strings: 3, Instructions: 927COMMON

Download Yara Rule

Strings

D!Dl, xrefs: 00873683
D0Hl, xrefs: 008731A3
D!Dl, xrefs: 00873E39

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: D!Dl$D!Dl$D0Hl
API String ID: 0-3379780943
Opcode ID: afd3c84c717b60bab4468e8366b4c8ba7f8917417d329ee850fda32b65ea5c74
Instruction ID: acb96369d546e7880f2e51cf2bf9d02d99ee6e5b5387901bf87c823baa165010
Opcode Fuzzy Hash: afd3c84c717b60bab4468e8366b4c8ba7f8917417d329ee850fda32b65ea5c74
Instruction Fuzzy Hash: 4782BF31E00659DFCB11DF64C8446DEB7B2FF89304F1185AAE549AB290DB30AE85DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00870B90 Relevance: 3.1, Strings: 2, Instructions: 600COMMON

Download Yara Rule

Strings

XcHl, xrefs: 00870E8A
\vHl, xrefs: 00870D01

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: XcHl$\vHl
API String ID: 0-3765920229
Opcode ID: 3663aa2854da8df588d31628e0894b07d869b925130ecfbae3be36903c04b274
Instruction ID: 39937b92c961ea829b7fc64ca8863bcdadcc1fd7f356e53382f4a56f408978e6
Opcode Fuzzy Hash: 3663aa2854da8df588d31628e0894b07d869b925130ecfbae3be36903c04b274
Instruction Fuzzy Hash: 51327A30B046098FDB14DB78C598AAEB7E2FF88318F158569D50ADB3A5DB34EC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0087B6A0 Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

XcHl, xrefs: 0087B98F

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID: XcHl
API String ID: 0-432563542
Opcode ID: 2092b8ba6b3a9e510de0723130e7e29f63b71c12a1687aec7a4bb49c3f688832
Instruction ID: 209bbc10fe1cd7244511c79bd10afe9f89b594c061ed6457d85209decc74d9ba
Opcode Fuzzy Hash: 2092b8ba6b3a9e510de0723130e7e29f63b71c12a1687aec7a4bb49c3f688832
Instruction Fuzzy Hash: B0A12A34A002189FDB24DB64C954B6EBBF6FF89304F158469D90AEB3A5DB34DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00871428 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cded1cf856098e6b7d34778cc60f0865ee9f5e25cff5d728a1b92eec6bf2bdb
Instruction ID: 9f1530e42e61aeda35085e1cdb4ceeaa6b7cd3c55cee92124c52f74e825231b4
Opcode Fuzzy Hash: 5cded1cf856098e6b7d34778cc60f0865ee9f5e25cff5d728a1b92eec6bf2bdb
Instruction Fuzzy Hash: 2D327E74B002148FDB24DBB8C958AAEB7E6FB88300F25C06AD50ADB755DF30DD458B92

Uniqueness

Uniqueness Score: -1.00%

Function 00874BC8 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2647c2d613adae5aea50afc37c7e14ff326320136df3a6170bc66ee7dc9e2aad
Instruction ID: 6ef2f8f5dbf5b63867da89c00a262de6beb09fba93ff084877079a3a7f9825e1
Opcode Fuzzy Hash: 2647c2d613adae5aea50afc37c7e14ff326320136df3a6170bc66ee7dc9e2aad
Instruction Fuzzy Hash: 0812AF31B042048FDB24DB68C484AAEBBE6FF85324F25C46AD959CB299DB35DC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00887538 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565861663.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_880000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf5345b7b164458822c969a4977b06e988357db61c727d00feac76949d7c1af
Instruction ID: 57d68f6c5cce97db5d4256d1658176a3177d273d2662326fe93182c19e53046f
Opcode Fuzzy Hash: fcf5345b7b164458822c969a4977b06e988357db61c727d00feac76949d7c1af
Instruction Fuzzy Hash: 0802A074A042449FDB15EBA8D854BAEBBF6FF89310F258469E505EB391DB34EC01CB50

Uniqueness

Uniqueness Score: -1.00%

Function 008793B8 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9d79c93d0badec967e574811dd7af205c44c445f028eef0e655a549f0d096f
Instruction ID: dd19651eb5f021fef06cc414eb5d0a36df62114675d47c80206debe4c62c1382
Opcode Fuzzy Hash: cc9d79c93d0badec967e574811dd7af205c44c445f028eef0e655a549f0d096f
Instruction Fuzzy Hash: 3DC1DD347042048FDB14DF74C984A6AB7A6FF85314F25C569E88ACB399DB34EC46CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0087CB70 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.565717634.0000000000870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_870000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7b83118bfb72a74c5fbb99bdcf3e1e5b31d8154a924828c2ad5dd80dfc480d
Instruction ID: 474a9b6c8b0ba87cc4f5a58558de91c238607043f157cad99a0a82fc10d975bf
Opcode Fuzzy Hash: 9b7b83118bfb72a74c5fbb99bdcf3e1e5b31d8154a924828c2ad5dd80dfc480d
Instruction Fuzzy Hash: 18817C74B002019BEB34DB74C954A6B7AE6EB88314F26C52DD94ADB394DF34EC418BA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 6712, Parent PID: 7036COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	4

Executed Functions

Function 035D9D00 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 035D9D78

Memory Dump Source

Source File: 00000014.00000002.568507081.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_35d0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9d8da41b46974ebbc716b66b892a3143cd186f912b444cd91e701e760de7f75c
Instruction ID: 6416eb39260e77a450cb7c16a1f57f8b46da38acc1503de1b3e5f77d0ab8cc65
Opcode Fuzzy Hash: 9d8da41b46974ebbc716b66b892a3143cd186f912b444cd91e701e760de7f75c
Instruction Fuzzy Hash: CF2144B1D046199BCB10DF9AD4447DEFBB4FB49324F15822AD819A3350C734A901CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 035D76A0 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNELBASE(00000000), ref: 035D9D78

Memory Dump Source

Source File: 00000014.00000002.568507081.00000000035D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_35d0000_powershell.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63a8be712e26e82aa58c10cb4b2c8dc637747ca1bed7284b132646bfefd83b16
Instruction ID: 1a0179f752f0b4143d816c9929c4b40c0c427f80021b9731e6ebf3b407bafde9
Opcode Fuzzy Hash: 63a8be712e26e82aa58c10cb4b2c8dc637747ca1bed7284b132646bfefd83b16
Instruction Fuzzy Hash: 0F2122B1D046599BCB10DF9AD448B9EFBB4FB49320F05812AE819A7250D774A940CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 032FD006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.566352857.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3884b3909ddd66cbbc2859df05eedae6679d846333fcfcf8bfbe96ac4aadc42c
Instruction ID: befd6f9f63d46a4b72615334206c917318f8dac76d11673a51a404520617f07f
Opcode Fuzzy Hash: 3884b3909ddd66cbbc2859df05eedae6679d846333fcfcf8bfbe96ac4aadc42c
Instruction Fuzzy Hash: A601296140D3D09FD7128B25C894B56BFB8AF43224F1D80DBD9848F2A7C2699848C772

Uniqueness

Uniqueness Score: -1.00%

Function 032FD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.566352857.00000000032FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 032FD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_32fd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a6c8bd07bdaf33f624fd40645993c8ca87ad41b3a1ff2a46cf407fbd65172d
Instruction ID: 03a2aea811c54c9362da3bebd49c40d9e3043e05c915c3a35f0cd563c0deb283
Opcode Fuzzy Hash: 64a6c8bd07bdaf33f624fd40645993c8ca87ad41b3a1ff2a46cf407fbd65172d
Instruction Fuzzy Hash: 6B01A771418354AFE7108A26C984B66FB98EF41374F08C56EEF055B28AC3799585CAB1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LHRUnlocker Install.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\MSIEF62.tmp

C:\Users\user\AppData\Local\Temp\MSIF280.tmp

C:\Users\user\AppData\Local\Temp\MSIF34C.tmp

C:\Users\user\AppData\Local\Temp\MSIF447.tmp

C:\Users\user\AppData\Local\Temp\MSIF513.tmp

C:\Users\user\AppData\Local\Temp\MSIF69B.tmp

C:\Users\user\AppData\Local\Temp\MSIF832.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xdfaoyo.lnf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2ddoyuu.1tk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf5no10l.5dz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhr5i13g.js1.psm1

C:\Users\user\AppData\Local\Temp\pss341F.ps1

C:\Users\user\AppData\Local\Temp\scr3351.ps1

C:\Users\user\Documents\20220223\PowerShell_transcript.878411.jRMym6xB.20220223184945.txt

C:\Windows\Installer\3c1a5a.msi

C:\Windows\Installer\MSI1FD8.tmp

C:\Windows\Installer\MSI2874.tmp

C:\Windows\Installer\MSI3268.tmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
LHRUnlocker Install.msi