Windows Analysis Report
406D457B011C4E0E91EF918550DD5682.exe

Overview

General Information

Sample Name: 406D457B011C4E0E91EF918550DD5682.exe
Original Sample Name: 406D457B011C4E0E91EF918550DD5682.MAL_decrypted
Analysis ID: 1286089
MD5: 475845969707b5ac6e04ed14514814bb
SHA1: cb1092c4f40fd151baa308e5f5dd8a61956660df
SHA256: 47b084fef24401868bffadad16ad925923fdd17f3c694cabfaedb4219e6d5358
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Yara signature match
Sample file is different than original file name gathered from version info
One or more processes crash
Checks if the current process is being debugged
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Entry point lies outside standard sections

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 406D457B011C4E0E91EF918550DD5682.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 406D457B011C4E0E91EF918550DD5682.exe ReversingLabs: Detection: 36%
Source: 406D457B011C4E0E91EF918550DD5682.exe Virustotal: Detection: 28% Perma Link
Antivirus detection for URL or domain
Source: http://comfirm001.site.bz/hl/dhl%20zip/dhl/dhl%20_%20tracking.htm Avira URL Cloud: Label: phishing
Machine Learning detection for sample
Source: 406D457B011C4E0E91EF918550DD5682.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 406D457B011C4E0E91EF918550DD5682.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 406D457B011C4E0E91EF918550DD5682.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Projects\LabSolutionsCore\SOURCE_MNG\SOURCE_EXE\LSSDataManagerHostExtendDb\obj\x86\Release\LSSDataManagerHostExtendDb.pdbhr source: 406D457B011C4E0E91EF918550DD5682.exe
Source: Binary string: C:\Projects\LabSolutionsCore\SOURCE_MNG\SOURCE_EXE\LSSDataManagerHostExtendDb\obj\x86\Release\LSSDataManagerHostExtendDb.pdb source: 406D457B011C4E0E91EF918550DD5682.exe
Source: Binary string: 3MpVeUMobZnoAKRDQvRK7WoV8kPSFCEQjkbc1qn64vxw3m8ge992jpfklvv4e2jq7k34zw9r9nldLNoffeuYXZDWuq5oLQjugsubiFD57HAVMZBitcoinClipboardMalware-1-master\btcclipboard\x64\Release\avery.pdb source: 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://avocat.com.br/imt/su/index.html
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://bit.ly/1r9mffb)
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://comfirm001.site.bz/hl/dhl%20zip/dhl/dhl%20_%20tracking.htm
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://crl.r2m01.amazontrust.com/r2m01.crl0
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://crt.r2m01.amazontrust.com/r2m01.cer0
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://grandsteel.kz/stats.php
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://mavmor.in/loop.php
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://nlog-project.org/ws/
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://nlog-project.org/ws/3
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponse
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://nlog-project.org/ws/T
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://ocsp.digicert.com0
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://ocsp.r2m01.amazontrust.com06
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://subca.crl.certum.pl/ctnca.crl0k
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: https://live.com/
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: https://local.teams.office.com/sourcemaps/hashed-assets/23524-5c06aaa6e3a0dbf8.js.map
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: https://statics.teams.cdn.live.net/teams-modular-packages/hashed-assets/23524-5c06aaa6e3a0dbf8.js
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: https://statics.teams.cdn.live.net/teams-modular-packages/hashed-assets/23524-5c06aaa6e3a0dbf8.jsaDb
Creates a DirectInput object (often for capturing keystrokes)
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433099050.0000000000E0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 406D457B011C4E0E91EF918550DD5682.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.406D457B011C4E0E91EF918550DD5682.exe.13c0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.406D457B011C4E0E91EF918550DD5682.exe.13c0000.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.352376322.00000000014A2000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.433190635.00000000014A2000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: 406D457B011C4E0E91EF918550DD5682.exe PID: 4108, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Uses 32bit PE files
Source: 406D457B011C4E0E91EF918550DD5682.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
PE file does not import any functions
Source: 406D457B011C4E0E91EF918550DD5682.exe Static PE information: No import functions for PE file found
Yara signature match
Source: 406D457B011C4E0E91EF918550DD5682.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.406D457B011C4E0E91EF918550DD5682.exe.13c0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.406D457B011C4E0E91EF918550DD5682.exe.13c0000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.352376322.00000000014A2000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.433190635.00000000014A2000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: 406D457B011C4E0E91EF918550DD5682.exe PID: 4108, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Sample file is different than original file name gathered from version info
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: Base<KernelFileMonitorEvent>, &_::sha1, &_::sha256, &_::md5, &_::patternType, &_::fileSize, &_::volumeLocation, &_::fileDescription, &_::productName, &_::originalFileName, &_::productVersion vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: OriginalFilename vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: System.OriginalFileName vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: originalFilename2$ vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000000.352376322.00000000014A2000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: System.OriginalFileName vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000000.352376322.00000000014A2000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000016B9000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: Base<KernelFileMonitorEvent>, &_::sha1, &_::sha256, &_::md5, &_::patternType, &_::fileSize, &_::volumeLocation, &_::fileDescription, &_::productName, &_::originalFileName, &_::productVersion vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000013C0000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: originalFilename2 vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.0000000001809000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: }J%_originalFilename2 vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000000.352376322.0000000001820000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: originalFilename2 vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.0000000001574000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamenslookup.exeD vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.0000000001574000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: originalFilename2 vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.0000000001674000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameLSSDataManagerHostExtendDb.exe: vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.0000000001854000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: originalFilename2$ vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.0000000001854000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: originalFilename2$t vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: originalFilename2 vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: System.OriginalFileName vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: OriginalFilenamemsvcp140_1.dllT vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: OriginalFilenamenslookup.exeD vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: OriginalFilenameLSSDataManagerHostExtendDb.exe: vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: Base<KernelFileMonitorEvent>, &_::sha1, &_::sha256, &_::md5, &_::patternType, &_::fileSize, &_::volumeLocation, &_::fileDescription, &_::productName, &_::originalFileName, &_::productVersion vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: }J%_originalFilename2 vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: originalFilename2$ vs 406D457B011C4E0E91EF918550DD5682.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: originalFilename2$t vs 406D457B011C4E0E91EF918550DD5682.exe
One or more processes crash
Source: C:\Users\user\Desktop\406D457B011C4E0E91EF918550DD5682.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 228
Source: 406D457B011C4E0E91EF918550DD5682.exe Static PE information: Section .xray
Source: 406D457B011C4E0E91EF918550DD5682.exe ReversingLabs: Detection: 36%
Source: 406D457B011C4E0E91EF918550DD5682.exe Virustotal: Detection: 28%
Source: C:\Users\user\Desktop\406D457B011C4E0E91EF918550DD5682.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\406D457B011C4E0E91EF918550DD5682.exe C:\Users\user\Desktop\406D457B011C4E0E91EF918550DD5682.exe
Source: C:\Users\user\Desktop\406D457B011C4E0E91EF918550DD5682.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\406D457B011C4E0E91EF918550DD5682.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 228
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4468:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4108
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1233.tmp Jump to behavior
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: Microsoft-Windows-Assistance-CollectionFiles-Help
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: Microsoft-Windows-InstallShield-WOW64-SetupDLL0009
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: ^%-help%-file%.txt$
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: Microsoft-Windows-Installer-Engine.Resources
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: ^%-help%-file%.txt$
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: Microsoft-Windows-Installer-Engine.Resources
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: Microsoft-Windows-Assistance-CollectionFiles-Help
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: Microsoft-Windows-Assistance-CollectionFiles-HelpName
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: Microsoft-Windows-InstallShield-WOW64-SetupDLL0009
Source: 406D457B011C4E0E91EF918550DD5682.exe String found in binary or memory: Microsoft-Windows-InstallShield-WOW64-SetupDLL0009wow64Name.SysWOW64\InstallShield\setupdir\000931bf3856ad364e35
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: h\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6\02_Extend_PROJECT_0_MSDE.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: Y\Device\HarddiskVolume3\Windows\Temp\JET96FB.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: CertificateVerifier verifying certificate completed for '\\?\GLOBALROOT\Device\HarddiskVolume3\Windows\System32\dwminit.dll', SHA1: 'dafbcc8c1f39390f407b33a6a39e483aeb95bc4a', result: 'SignedKnownAndVerified', total time spent: '38300' nanoseconds, cache status: 'Hit', lookup took: '20600' nanoseconds,
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\mshta.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: ]\Device\HarddiskVolume3\Program Files (x86)\Splashtop\Splashtop Remote\Server\QuicServer.cert
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Service Worker\CacheStorage\a957449e0c17def967fb86220c8cab1d9f0a68fc\af5e
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\DriverStore\FileRepository\lms.inf_amd64_4dbf190c04dbd474\LMS.exeble4
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_printer_22190c3ab8798fd9.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: ]\Device\HarddiskVolume3\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAgent.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\en-US\ssdpsrv.dll.mui
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-212732.pdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Target: (Uid: 829F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\gpsvc.dll), Event: <research_serviceRun, eventSourceType = Legacy, mainContentCert = SignedKnownAndVerified>)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: K\Device\HarddiskVolume3\LabSolutions\System\LoginManagement.mdb~RF131e8.TMP
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\Modules\StorageBusCache\StorageBusTargetDeviceInstance.cdxml
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: j\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.3\01_Extend_SSHIMADZU_Oracle.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: @\Device\HarddiskVolume3\Windows\Prefetch\SVCHOST.EXE-974DACA0.pf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: Windows Defender Exploit Guard detected Office application injecting code into the process.ileC:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\SenseCncProxy.exeC:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Platform\*\SenseCM.exeexeWindows Defender Exploit Guard detected the launch of a newly created untrusted executable file\Device\HarddiskVolume3\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Service Worker\CacheStorage\a957449e0c17def967fb86220c8cab1d9f0a68fc\af5e6e91-7a0d-4584-9757-519f6f202f7b\ad04bcd31c122994_04_0r\*\
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: X\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.2\Resources.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\LabSolutions\System\istInfo.sdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\PROGRAM FILES\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe9E2SINE
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\nbtstat.exexe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: `\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.0\Resources.zh-Hans.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MicrosoftGraphRecentItemsManager.dlldllntator
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_apps_8b2c3dfa1936baf1.cdf-mshbin
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: o\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6\02_Extend_PROJECT_COMMON_Oracle.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Target: (Uid: 349F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\svchost.exe), Event: <group_create, isSystem = True, isExecutable = True, isTemporary = False, verificationType = SignedKnownAndVerified, extensionType = Executable, isActiveContent = False, activeContentTypeForExecutable = Exe, eventSourceType = Legacy>)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: j\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.2\01_Extend_SSHIMADZU_Oracle.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.text.regularexpressions_v4.0_4.0.0.0_b03f5f7f11d50a3a_bff18186e48a129f.cdf-ms'
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: CertificateVerifier verifying certificate completed for '\Device\HarddiskVolume3\Program Files (x86)\LabSolutions\LSSDbPatchForm.exe', SHA1: 'bce484de1446bf8948891268cead218d52b130a7', result: 'NotSigned', total time spent: '68900' nanoseconds, cache status: 'Hit', lookup took: '30300' nanoseconds,
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\Desktoplnsrcei
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\getmac.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\certprop.dll(
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: )\Device\HarddiskVolume3\LabS
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: r\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.1\02_Extend_ShimadzuAttestServer_Msde.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\WerFault.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\ipconfig.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\H
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\Modules\StorageBusCache\StorageBusClientDevice.cdxml
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: [\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.4\Resources.ja.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: _pathr5\Device\HarddiskVolume3\Windows\System32\kernel32.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: r\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.4\01_Extend_ShimadzuAttestServer_Msde.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\en-US\shell32.dll.muiMZ
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: [\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.0\Resources.ja.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: j\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.1\01_Extend_PROJECT_0_Oracle.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: s\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.2\01_Extend_ShimadzuAttestServer_Msde.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\sftservice.exetServi
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\apphelp.dllh
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Network\Network Persistent State~RF1d452.TMP
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_bits_8b2c45941936af7d.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: G\Device\HarddiskVolume3\LabSolutions\Work\Cache_6C04_9F6C38\~LSAE0D.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Network\bb668e44-8ed1-4e44-af02-eab1706825e4.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: s\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.1\02_Extend_ShimadzuAttestServer_Msde.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: M\Device\HarddiskVolume3\LabSolutions\Work\Cache_6C04_9F6C38\~LSAE50-27652.gcd
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-204715.pdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\ThPcmH
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: s\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.0\01_Extend_ShimadzuAttestServer_Msde.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\netsh.exe@
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: D\Device\HarddiskVolume3\Program Files (x86)\LabSolutions\UNLHA32.DLL
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_uk-ua_d80380342e7dfdb7.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_resources_0adab7ac98c3dc03.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\en-US\shell32.dll.mui
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\LabSolutions\System\ShimadzuAttestObstacle.ldb
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: C\Device\HarddiskVolume3\LabSolutions\Work\Cache_F04_A69\JET1375.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-195956.pdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 0\Device\HarddiskVolume3\Windows\Temp\JETDE1E.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \device\mup
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_syswow64_migration_bdcfa47e8790e0c4.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: r\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.3\01_Extend_ShimadzuAttestServer_Msde.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: @\Device\HarddiskVolume3\Windows\Prefetch\SVCHOST.EXE-D0F686CF.pf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_apppatch_customsdb_3bf1ff155493adb9.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: X\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6\Resources.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: [\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.3\Resources.ja.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Program Files (x86)\Logitech\LWS\Webcam Software\CameraHelperShell.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Program Files\Common FileslesX
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: b\Device\HarddiskVolume3\ProgramData\Microsoft\Windows\AppRepository\StateRepository-Deployment.srd
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\StorageUsage.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 8\Device\HarddiskVolume3\LabSolutions\Log\LSSLocalLog.ldbZ
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_apppatch_custom_2adff76bea4847ec.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \\Device\HarddiskVolume3\Program Files (x86)\Splashtop\Splashtop Remote\Server\QuicServer.key
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe\Dev
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_core_js_2a738435bdbe8f70.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\Modules\StorageBusCache\StorageBusCache.format.ps1xml
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Program Files (x86)\Barracuda\Barracuda Backup Agent\win\x86_64\BackupService.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Fonts\segoeui.ttfng.dllp.ini
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\Everything.exeervi
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: CertificateVerifier verifying certificate completed for '\\?\GLOBALROOT\Device\HarddiskVolume3\Windows\System32\hvhostsvc.dll', SHA1: '87aa2a833dae798cbb3b0476e97bb8e421fd6489', result: 'SignedKnownAndVerified', total time spent: '42600' nanoseconds, cache status: 'Hit', lookup took: '29000' nanoseconds,
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Uid: C32E79DBA34EB626, Path: \Device\HarddiskVolume3\PROGRAM FILES\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_appreadiness_b6ba89081e320d85.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_syswow64_spp_tokens_pkeyconfig_b2fdf59e46c165ae.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\Everything.exeONTD
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: l\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6\02_Extend_PROJECT_COMMON_MSDE.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Target: (Uid: 8B9F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\hvhostsvc.dll), Event: <research_serviceRun, eventSourceType = Legacy, mainContentCert = SignedKnownAndVerified>)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_scheduled_maintenance_en-us_1c00802b579d904e.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\LabSolutions\LogLogTbr Vbr
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: g\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6\02_Extend_PROJECT_0_MSDE.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\WerFault.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_hu-hu_d9d7d7f62a602593.cdf-msFILE0
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_eventtracingmanagement_d5bddfe8681b42f9.cdf-ms'
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: j\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.0\01_Extend_SSHIMADZU_Oracle.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: _pathv7\Device\HarddiskVolume3\Windows\System32\KernelBase.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe_23_common_slickgrid_plugins_58362696fb879581.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\adminlgm.ANABOLIC_HQ\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Preferences
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe_23_console_7c54de03bd35687d.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Target: (Uid: 879F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\termsrv.dll), Event: <research_serviceRun, eventSourceType = Legacy, mainContentCert = SignedKnownAndVerified>)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-220752.pdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_nativeimages_7f83bd6ed8241f3a.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_apps_8b2c3dfa1936baf1.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Temp\JET7980.tmpllll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\regedit.exep
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_fi-fi_da1fe77a29be0007.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\svchost.exed
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_ru-ru_d86f925a2d8ad06f.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_it-it_d9b3d1222ab13661.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\LabSolutions\System\LSSMultiDataRegistInfo.sdfS
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\Winlangdb.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\schtasks.exe`
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: _pathX(\Device\HarddiskVolume3\Windows\SysWOW64
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\svchost.exe_
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\csrss.exexeH
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_hu-hu_d9d7d7f62a602593.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: g\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.1\01_Extend_PROJECT_0_Msde.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\cscript.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_power_en-us_721989d674f7bd04.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.text.regularexpressions_v4.0_4.0.0.0_b03f5f7f11d50a3a_bff18186e48a129f.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: X\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.3\Resources.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\laps.dlll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: __pathX(\Device\HarddiskVolume3\Windows\System32
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\cryptsvc.dll9
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 0\Device\HarddiskVolume3\WiA
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: X\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.0\Resources.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_syswow64_speech_speechux_27aa9ae49ec13adf.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\cmd.exexexeP
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\AppDa
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\PROGRAM FILES\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe362exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\LabSolutions\System\LoginManagement.mdb~RF131e8.TMP
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: ^\Device\HarddiskVolume3\Program Files (x86)\Splashtop\Splashtop Software Updater\DefaultUI.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_de-de_40b6416a87b647ef.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: >_pathr5\Device\HarddiskVolume3\Windows\SysWOW64\WinTypes.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: E\Device\HarddiskVolume3\Windows\System32\winevt\Logs\Application.evtx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Program Files\Adobe\Adobe Creative Cloud Experience\libs\node.exee.exeBlock credential stealing from the Windows local security authority subsystem (lsass.exe)%userprofile%\appdata\local\google\drive plugin for office\driveforoffice.synchelper.exeexexe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: `\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.4\Resources.zh-Hans.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\mfplat.dllv
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \\Device\HarddiskVolume3\Program Files (x86)\Splashtop\Splashtop Software Updater\WCXInst.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\adminlgm.ANABOLIC_HQ\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\14519854-f52f-472f-a3be-ab74dbb06a6e.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-07-27.1640.8908.1.odlFile
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\adminlgm.ANABOLIC_HQ\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Preferences~RF6c2e5.TMP
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagtrack_0600d0deecd2b5a2.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\da6f356016f3b4967db4ed070f2e1391\Microsoft.WindowsSearch.Commands.ni.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: [\Device\HarddiskVolume3\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: J\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.2
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: J\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.3
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\route.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: J\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.4
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: J\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.5
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: ^+\Device\HarddiskVolume3\LabSolutions\SystemX
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\svchost.exedllFILE0
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: J\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.0
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: J\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.1
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: _patht6\Device\HarddiskVolume3\Windows\System32\wow64base.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_cs-cz_3ecfefb68a8fc3f6.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\rsaenh.dllll9
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: J\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\BackupAgent64.exetiD
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Temp\JETBFEF.tmpxe"lW
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_diagsvcs_dd4fddd4aaa5e8ac.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagtrack_settings_56f8a3f40ce5a801.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{93f2f8a7-f148-4bb2-a7e5-4c8cf26eb75c}\snapshot.etl
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 0\Device\HarddiskVolume3\Windows\Temp\JETAE90
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SystemAp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: r\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.2\01_Extend_ShimadzuAttestServer_Msde.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\en-US\svchost.exe.mui
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\WsmSvc.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_config_1277fa612e559336.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\LabSolutions\Log\Debug\DbgReport_LSSLogDBAccess_Inst_unknown.log
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscresources_msft_groupresour_f89377aef0e3070d.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\shell32.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll7
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: [\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6\Resources.ja.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: CertificateVerifier verifying certificate completed for '\\?\GLOBALROOT\Device\HarddiskVolume3\Windows\System32\termsrv.dll', SHA1: '46b4cdc6075fcf48475964105983260edd83ba40', result: 'SignedKnownAndVerified', total time spent: '26700' nanoseconds, cache status: 'Hit', lookup took: '14900' nanoseconds,
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 0\Device\HarddiskVolume3\Windows\Temp\JETF50F.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3`
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: k\Device\HarddiskVolume3\Pro
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\wkssvc.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023t.
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: l\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.2\01_Extend_ShimadzuAttest_MDB.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (\Device\HarddiskVolume3\LabS
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Program Files\Adobe\Adobe Premiere Pro CC 2019\Adobe Premiere Pro.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: m\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6\02_Extend_PROJECT_COMMON_MSDE.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_qps-ploc_109d95b40d3e11cb.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_microsoft.csharp_v4.0_4.0.0.0_b03f5f7f11d50a3a_c9e0673e8f2d225d.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\assembly\GAC_MSIL\Microsoft.SqlServer.Diagnostics.STrace\14.0.0.0__89845dcd8080cc91\Microsoft.SqlServer.Diagnostics.STrace.dllg
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_offline_web_pages_69a36e63131cf523.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: G\Device\HarddiskVolume3\LabSolutions\Work\Cache_6C04_9F6C38\~LSF23A.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscresources_msft_groupresour_f89377aef0e3070d.cdf-msG$
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\dllhost.exe'
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_zh-cn_d74f2fe2301398dc.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_digitallocker_en-us_ff53d45933582902.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\sysntfy.dlle
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\netsh.exee
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\systeminfo.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: C\Device\HarddiskVolume3\PROGRAM FILES\ATE
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: s\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.5\01_Extend_ShimadzuAttestServer_Msde.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_tr-tr_d82784d42e2cf1c3.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: F\Device\HarddiskVolume3\Windows\System32\CloudExperienceHostCommon.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_syswow64_speech_onecore_voiceactivation_64af56b9bf516892.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_sv-se_d84b8da62ddbdc6c.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe_23_debugger_81168649365dfec5.cdf-mswQ
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.xboxgamecallableui_cw5n1h2txyewy_f20e4c4d4e876b3f.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: Y\Device\HarddiskVolume3\Windows\Temp\JETC008.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dllg
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_en-us_632b32cf56b7d37f.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: `\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.5\Resources.zh-Hans.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_audio_9d2751b7c84ca0f1.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 3\Device\HarddiskVolume3\LabSolutions\Work\extension
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_lib_b0f47f90f3500a51.cdf-ms7
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Uid: 349F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\svchost.exe)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Target: (Uid: 349F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\svchost.exe), Event: <research_userExecution, eventSourceType = Legacy>)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: X\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.5\Resources.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1e.cdxml
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: s\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.4\01_Extend_ShimadzuAttestServer_Msde.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.threading.timer_v4.0_4.0.0.0_b03f5f7f11d50a3a_81fa31df76585be2.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\svchost.exe.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_resources_en-us_3393f588464e4d11.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: @\Device\HarddiskVolume3\Windows\System32\sspicli.dllH
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: l\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.4\01_Extend_ShimadzuAttest_MDB.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_sl-si_d84b8d022ddbde0a.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_bcastdvr_fab1ebc0dbf2dacb.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_syswow64_spp_tokens_skus_csvlk-pack_a04c4b36b1c86210.cdf-msFILE0
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_mui_0409_abaaca3ee992e537.cdf-msV
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: <\Device\HarddiskVolume3\Windows\SysWOW64\windows.storage.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_mui_0409_1405c8a02d1f7079.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\netsh.exex
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\en-US\ESENT.dll.mui
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.xboxgamecallableui_cw5n1h2txyewy_f20e4c4d4e876b3f.cdf-msG
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: `\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.3\Resources.zh-Hans.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: _pathr5\Device\HarddiskVolume3\Windows\System32\wow64win.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_sk-sk_d84b8cb82ddbdeb5.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\msvcrt.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\dpapi.dlldll9
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\SyncBackPro.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_pcw_en-us_30a9ef1c7976423b.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Target: (Uid: 7B9F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\LogonUI.exe), Event: <group_create, isSystem = True, isExecutable = True, isTemporary = False, verificationType = SignedKnownAndVerified, extensionType = Executable, isActiveContent = False, activeContentTypeForExecutable = Exe, eventSourceType = Legacy>)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: C\Device\HarddiskVolume3\PROGRAM Ue\g
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: h\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.1\01_Extend_PROJECT_0_Msde.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Target: (Uid: 7B9F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\LogonUI.exe), Event: <research_userExecution, eventSourceType = Legacy>)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\sftservice.exeServi Vbr!D
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_networking_en-us_9db86426234993c3.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.xboxgamecallableui_cw5n1h2txyewy_f20e4c4d4e876b3f.cdf-ms7
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\KeeperImport.exexe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Windows\ClipSVC
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe_23_debugger_81168649365dfec5.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\service_process.exe Vbr
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: r\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.0\01_Extend_ShimadzuAttestServer_Msde.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: j\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.6\02_Extend_PROJECT_0_Oracle.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-225531.pdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_syswow64_spp_tokens_ppdlic_ee939189101570f7.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\combase.dllllo
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-210723.pdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: [\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.5\Resources.ja.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: h\Device\HarddiskVolume3\Windows\System32\svchost.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: (Uid: 7B9F78DBA34EB626, Path: \Device\HarddiskVolume3\Windows\System32\LogonUI.exe)
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: :\Device\HarddiskVolume3\Windows\Temp\
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: h\Device\HarddiskVolume3\Windows\System32\LogonUI.exe|"LogonUI.exe" /flags:0x2 /state0:0xa3b04055 /state1:0x41c64e6d
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: s\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.3\01_Extend_ShimadzuAttestServer_Msde.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\StorSvc.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\arp.exe.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Temp\ateraAgentSetup64_1_8_3_7.msieps\**:G
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_framework64_v4.0.30319_mui_0409_abaaca3ee992e537.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_ko-kr_d96bc3742b535818.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Program Files (x86)\LabSolutions\LSSWCFHelper.dlle5a2fa5.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscresources_msft_logresource_55a4f1e43ab800fa.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-202003.pdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: r\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.5\01_Extend_ShimadzuAttestServer_Msde.sql
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: _pathr5\Device\HarddiskVolume3\Windows\System32\wow64con.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Service Worker\CacheStorage\a957449e0c17def967fb86220c8cab1d9f0a68fc\af5e6e91-7a0d-4584-9757-519f6f202f7b\ad04bcd31c122994_0
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_scheduled_maintenance_6bb1b174b39bb442.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\config\systemprofile9
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\RTWorkQ.dllll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\wusa.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commandsstance.cdxml
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_syswow64_windowspowershell_v1.0_modules_directaccessclientcomponents_64fcec5b2c68e9fc.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: CertificateVerifier verifying certificate completed for '\Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.17.11461.0_x64__8wekyb3d8bbwe\wt.exe', SHA1: 'c025678dc0c8267aaab773a9427a5d5a902fc8fc', result: 'SignedKnownAndVerified', total time spent: '52200' nanoseconds, cache status: 'Hit', lookup took: '34600' nanoseconds, R`
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\crypt32.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_dism_066548addf2fbd4b.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: D\Device\HarddiskVolume3\LabSolutions\Work\Cache_F04_A69\LHTMP002.LZH
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: <\Device\HarddiskVolume3\Windows\Temp\nsy320E.tmp\SSUDesc.xml
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: j\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.5\01_Extend_SSHIMADZU_Oracle.sqlx
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_sr-latn-rs_958c164b63eece47.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\AppData\Local\Packages\MicrosoftTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams\EBWebView\Default\Service Worker\CacheStorage\a957449e0c17def967fb86220c8cab1d9f0a68fc\af5e6e91-7a0d-4584-9757-519f6f202f7b\ad04bcd31c122994_04_0Hardr
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\RpcEpMap.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\mobilenetworking.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.windows.cloudexperiencehost_cw5n1h2txyewy_lib_b0f47f90f3500a51.cdf-msG
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HardDiskVolume*\*\aiqRemote64.exeNrviO
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_apppatch_en-us_098dc872781aebb9.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: E\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: [\Device\HarddiskVolume3\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUdpCtrl.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_ro-ro_d86f93262d8acebf.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 0\Device\HarddiskVolume3\Windows\Temp\JETAE80.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: E\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520#
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-222803.pdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 8\Device\HarddiskVolume3\LabSolutions\Log\LSSLocalLog.ldb
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\en-US\zipfldr.dll.mui
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 5\Device\HarddiskVolume3\LabSolutions\Log\ER202305.LOG
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: P$\Device\HarddiskVolume3\LabSolutions
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\CompatTelRunner.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\PROGRAM FILES\WindowsApps\MicrosoftTeams_23182.305.2227.4931_x64__8wekyb3d8bbwe\msteams_autostarter.exen\bp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\wmipcima.dllmui
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\Microsoft.NET
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_assembly_gac_msil_system.threading.timer_v4.0_4.0.0.0_b03f5f7f11d50a3a_81fa31df76585be2.cdf-mswv6
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: G\Device\HarddiskVolume3\LabSolutions\Work\Cache_6C04_9F6C38\~LSAE0E.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\wbem\wmic.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_power_9d457dc1c7c54838.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: 0\Device\HarddiskVolume3\Windows\Temp\JETE976.tmp
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\adminlgm.ANABOLIC_HQ\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\assembly
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\winsxs\*\tiworker.exe
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: [\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.2\Resources.ja.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_ocr_en-us_f85f725907edb9b8.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\msftedit.dll8
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_boot_pcat_qps-plocm_a218927645e9595a.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\LabSolutions\System\LSSMultiDataRegistInfo.sdf
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_systemapps_microsoft.microsoftedgedevtoolsclient_8wekyb3d8bbwe_23_debugger_81168649365dfec5.cdf-ms'S
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\cmd.exe0
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: _pathl2\Device\HarddiskVolume3\Windows\System32\wow64.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: ^\Device\HarddiskVolume3\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUClient.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagtrack_scenarios_ce5f6e43b7ab3f41.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: `\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.2\Resources.zh-Hans.dat
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: LdrpUnloadNode\Device\SrpDeviceDLL "%wZ" has TLS information at %p
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\System32\FirewallAPI.dll
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_microsoft.net_framework_v4.0.30319_config_632772819e294ecb.cdf-ms
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_system32_windowspowershell_v1.0_modules_psdesiredstateconfiguration_dscresources_msft_logresource_55a4f1e43ab800fa.cdf-ms'/
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: J\Device\HarddiskVolume3\LabSolutions\Work\extension\20230412110939520\V2.1$
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Windows\WinSxS\FileMaps\$$_diagnostics_system_bits_8b2c45941936af7d.cdf-msPcmH
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary string: \Device\HarddiskVolume3\Users\boonhuat.chee\OneDrive - LGM Pharma\WinsonBC\AP\Thyroid\Stability_S02-200_RT-AT_06272023\S02-200_RT-AT_06272023\RS_Thyroid_Iodine_20230627-214742.pdf
Source: classification engine Classification label: mal76.winEXE@3/6@0/0
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 406D457B011C4E0E91EF918550DD5682.exe, 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.0000000001854000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000016B9000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: SELECT _PackageID, _Revision, _WorkId, PackageFamily, ResourceId, Architecture, Version, PackageFullName, IsInbox, PackageType, Flags, Flags2, DisplayName, PublisherDisplayName, Description, Logo, OSMinVersion, OSMaxVersionTested, TargetDeviceFamily, Capabilities, SupportedUsers, SignatureOrigin, PackageOrigin, Enterprise, SourceBundle, EditionId, OSVersionWhenIndexed, InPlaceUpdateBaseline, _Dictionary FROM Package WHERE EditionId IS ? AND (_WorkId=0 OR _WorkId=?);
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000016B9000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: SELECT _PackageID, _Revision, _WorkId, PackageFamily, ResourceId, Architecture, Version, PackageFullName, IsInbox, PackageType, Flags, Flags2, DisplayName, PublisherDisplayName, Description, Logo, OSMinVersion, OSMaxVersionTested, TargetDeviceFamily, Capabilities, SupportedUsers, SignatureOrigin, PackageOrigin, Enterprise, SourceBundle, EditionId, OSVersionWhenIndexed, InPlaceUpdateBaseline, _Dictionary FROM Package WHERE PackageFamily=? AND PackageType & ? !=0 AND _WorkId=0;
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000016B9000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: SELECT _PackageID, _Revision, _WorkId, PackageFamily, ResourceId, Architecture, Version, PackageFullName, IsInbox, PackageType, Flags, Flags2, DisplayName, PublisherDisplayName, Description, Logo, OSMinVersion, OSMaxVersionTested, TargetDeviceFamily, Capabilities, SupportedUsers, SignatureOrigin, PackageOrigin, Enterprise, SourceBundle, EditionId, OSVersionWhenIndexed, InPlaceUpdateBaseline, _Dictionary FROM Package WHERE PackageFamily=? AND PackageType & ? !=0 AND ResourceId IS ? AND _WorkId=0;
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000016B9000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: SELECT _PackageID, _Revision, _WorkId, PackageFamily, ResourceId, Architecture, Version, PackageFullName, IsInbox, PackageType, Flags, Flags2, DisplayName, PublisherDisplayName, Description, Logo, OSMinVersion, OSMaxVersionTested, TargetDeviceFamily, Capabilities, SupportedUsers, SignatureOrigin, PackageOrigin, Enterprise, SourceBundle, EditionId, OSVersionWhenIndexed, InPlaceUpdateBaseline, _Dictionary FROM Package WHERE PackageFamily=? AND PackageType & ? !=0 AND ResourceId IS ? AND (_WorkId=0 OR _WorkId=?);
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000016B9000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: SELECT _PackageID, _Revision, _WorkId, PackageFamily, ResourceId, Architecture, Version, PackageFullName, IsInbox, PackageType, Flags, Flags2, DisplayName, PublisherDisplayName, Description, Logo, OSMinVersion, OSMaxVersionTested, TargetDeviceFamily, Capabilities, SupportedUsers, SignatureOrigin, PackageOrigin, Enterprise, SourceBundle, EditionId, OSVersionWhenIndexed, InPlaceUpdateBaseline, _Dictionary FROM Package WHERE EditionId IS ? AND _WorkId=0;
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000016B9000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: SELECT _PackageID, _Revision, _WorkId, PackageFamily, ResourceId, Architecture, Version, PackageFullName, IsInbox, PackageType, Flags, Flags2, DisplayName, PublisherDisplayName, Description, Logo, OSMinVersion, OSMaxVersionTested, TargetDeviceFamily, Capabilities, SupportedUsers, SignatureOrigin, PackageOrigin, Enterprise, SourceBundle, EditionId, OSVersionWhenIndexed, InPlaceUpdateBaseline, _Dictionary FROM Package WHERE PackageFamily=? AND ResourceId IS ? AND (_WorkId=0 OR _WorkId=?);
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.0000000001854000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);viewVIEWTABLEname='%q' AND type='index'sqlite_temp_masterviews may not be indexedtbl_name='%q' AND type!='trigger'UPDATE %Q.%s SET type='%s', name=%Q, tbl_name=%Q, rootpage=#%d, sql=%Q WHERE rowid=#%d-%Tdefault value of column [%s] is not constant%s.rowidAUTOINCREMENT not allowed on WITHOUT ROWID tablesthere is already an index named %sindex '%q'SELECT sql FROM "%w".sqlite_master WHERE type='index'INSERT INTO vacuum_db.sqlite_master SELECT*FROM "%w".sqlite_master WHERE type IN('view','trigger') OR(type='table'AND rootpage=0)cannot VACUUM from within a transactionSELECT'INSERT INTO vacuum_db.'||quote(name)||' SELECT*FROM"%w".'||quote(name)FROM vacuum_db.sqlite_master WHERE type='table'AND coalesce(rootpage,1)>0ORDER BY%s clause should come after %s not beforeLIMITtable %s may not be modifiedtblsqlite_stat%dpsowwinTruncate1winReadwinAccesswinLockSharedMemoryNOCASERTRIM
Source: 406D457B011C4E0E91EF918550DD5682.exe, 00000000.00000002.433190635.00000000016B9000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: SELECT _PackageID, _Revision, _WorkId, PackageFamily, ResourceId, Architecture, Version, PackageFullName, IsInbox, PackageType, Flags, Flags2, DisplayName, PublisherDisplayName, Description, Logo, OSMinVersion, OSMaxVersionTested, TargetDeviceFamily, Capabilities, SupportedUsers, SignatureOrigin, PackageOrigin, Enterprise, SourceBundle, EditionId, OSVersionWhenIndexed, InPlaceUpdateBaseline, _Dictionary FROM Package WHERE PackageFamily=? AND PackageType & ? !=0 AND (_WorkId=0 OR _WorkId=?);
Source: 406D457B011C4E0E91EF918550DD5682.exe Static file information: File size 5243360 > 1048576
Source: 406D457B011C4E0E91EF918550DD5682.exe Static PE information: Raw size of .xray is bigger than: 0x100000 < 0x500000
Source: 406D457B011C4E0E91EF918550DD5682.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Projects\LabSolutionsCore\SOURCE_MNG\SOURCE_EXE\LSSDataManagerHostExtendDb\obj\x86\Release\LSSDataManagerHostExtendDb.pdbhr source: 406D457B011C4E0E91EF918550DD5682.exe
Source: Binary string: C:\Projects\LabSolutionsCore\SOURCE_MNG\SOURCE_EXE\LSSDataManagerHostExtendDb\obj\x86\Release\LSSDataManagerHostExtendDb.pdb source: 406D457B011C4E0E91EF918550DD5682.exe
Source: Binary string: 3MpVeUMobZnoAKRDQvRK7WoV8kPSFCEQjkbc1qn64vxw3m8ge992jpfklvv4e2jq7k34zw9r9nldLNoffeuYXZDWuq5oLQjugsubiFD57HAVMZBitcoinClipboardMalware-1-master\btcclipboard\x64\Release\avery.pdb source: 406D457B011C4E0E91EF918550DD5682.exe
PE file contains sections with non-standard names
Source: 406D457B011C4E0E91EF918550DD5682.exe Static PE information: section name: .xray
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .xray
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: detects_vmware
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.4.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: 406D457B011C4E0E91EF918550DD5682.exe Binary or memory string: GW.resourcesabbreviated query algorithm search!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Unknown member: peattributes.%hspe.set_peattribute(name, state) expects boolean "state"ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatab=
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: VMware7,1
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.4.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\406D457B011C4E0E91EF918550DD5682.exe Process queried: DebugPort Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: procexp.exe
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1286089 Sample: 406D457B011C4E0E91EF918550D... Startdate: 05/08/2023 Architecture: WINDOWS Score: 76 12 Malicious sample detected (through community Yara rule) 2->12 14 Antivirus detection for URL or domain 2->14 16 Antivirus / Scanner detection for submitted sample 2->16 18 2 other signatures 2->18 6 406D457B011C4E0E91EF918550DD5682.exe 1 2->6         started        process3 process4 8 WerFault.exe 24 9 6->8         started        10 conhost.exe 6->10         started       
No contacted IP infos