Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LHRUnlocker Install.msi

Overview

General Information

Sample Name:LHRUnlocker Install.msi
Analysis ID:577501
MD5:ca17c1bbedc959ad89f1c1dbf6b7aa32
SHA1:d24658face1f6fd3b457d7250c9b1a630798678d
SHA256:8fb46d2d56dd411ad10862204849abf9a4546f1ab1d40bcb6b0cac284debc055
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Script Execution From Temp Folder
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Powershell Defender Exclusion
Adds a directory exclusion to Windows Defender
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • msiexec.exe (PID: 4348 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 3744 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 4884 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 6736 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • powershell.exe (PID: 7036 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue." MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7036PowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0xbd9b:$sa2: -encodedCommand
  • 0xbdc7:$sa2: -encodedCommand
  • 0xc4ac:$sa2: -EncodedCommand
  • 0xcfb6:$sa2: -EncodedCommand
  • 0xd051:$sa2: -encodedCommand
  • 0x11e5:$sc2: -NoProfile
  • 0x48a3:$sc2: -NoProfile
  • 0x684d:$sc2: -NoProfile
  • 0x286cc:$sc2: -NoProfile
  • 0x316ce:$sc2: -NoProfile
  • 0x3181e:$sc2: -NoProfile
  • 0x31c90:$sc2: -NoProfile
  • 0x32004:$sc2: -NoProfile
  • 0x32289:$sc2: -NoProfile
  • 0x32607:$sc2: -NoProfile
  • 0x3c815:$sc2: -NoProfile
  • 0x7b6f6:$sc2: -NoProfile
  • 0x7b846:$sc2: -NoProfile
  • 0x7c19f:$sc2: -NoProfile
  • 0x7c503:$sc2: -NoProfile
  • 0x7cbcd:$sc2: -NoProfile

System Summary

barindex
Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036
Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, ProcessId: 6712
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036
Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132901445801825560.7036.DefaultAppDomain.powershell

Click to jump to signature section

Show All Signature Results
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000014.00000002.567216756.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png0
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.569706056.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569503503.0000000005321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://t2.symcb.com0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://tl.symcd.com0&
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.drString found in binary or memory: http://www.winimage.com/zLibDll
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.drString found in binary or memory: http://www.winimage.com/zLibDll1.2.7rbr
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.drString found in binary or memory: https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester0
Source: powershell.exe, 00000008.00000003.527476361.00000000057BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: 3c1a5a.msi.1.drString found in binary or memory: https://t.me/LHRUnlockerChannelButtonText_Finish&FinishManufacturerSergeyProductCode
Source: 3c1a5a.msi.1.drString found in binary or memory: https://t.me/LHRUnlockerMSIFASTINSTALLAI_CURRENT_YEAR2022ButtonText_Decline&DeclineAI_PREDEF_LCONDS_
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: https://www.advancedinstaller.com
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: https://www.thawte.com/cps0/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: https://www.thawte.com/repository0W
Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI1FD8.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3c1a5a.msiJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_008740808_2_00874080
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_008755B88_2_008755B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_008731688_2_00873168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00870B908_2_00870B90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_008793B88_2_008793B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00874BC88_2_00874BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0087CB708_2_0087CB70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_008714288_2_00871428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0087B6B08_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0087B6A08_2_0087B6A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0087B6B08_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_008875388_2_00887538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_035DB9B020_2_035DB9B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameviewer.exeF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameShortcutFlags.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameFileOperations.dllF vs LHRUnlocker Install.msi
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 CJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220223Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmpJump to behavior
Source: classification engineClassification label: mal45.evad.winMSI@11/20@0/0
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: LHRUnlocker Install.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: LHRUnlocker Install.msiStatic file information: File size 7207424 > 1048576
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00873168 push eax; mov dword ptr [esp], edx8_2_00873464
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00878B31 push eax; retf 8_2_00878B3D
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF513.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF34C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF280.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF69B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3268.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2874.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF832.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1FD8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF447.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3268.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2874.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1FD8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX</