Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
nwe-agent-package.exe

Overview

General Information

Sample name:nwe-agent-package.exe
Analysis ID:1667754
MD5:d779793b7e9ff50ed69c9667c5a7e353
SHA1:4a8369f171c3981969cbaa7976085740fe9f81e5
SHA256:619b771186acae11a60863c99d27a1b0896d3a4b0573ea102bbd0c87335372bb
Infos:

Detection

Score:68
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Accesses ntoskrnl, likely to find offsets for exploits
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
AV process strings found (often used to terminate AV products)
Checks for available system drives (often done to infect USB drives)
Contains capabilities to detect virtual machines
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Modifies existing windows services
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w11x64_office
  • nwe-agent-package.exe (PID: 5736 cmdline: "C:\Users\user\Desktop\nwe-agent-package.exe" MD5: D779793B7E9FF50ED69C9667C5A7E353)
    • msiexec.exe (PID: 5608 cmdline: msiexec.exe /i "C:\Users\user\AppData\Local\Temp\NWE000064.msi" /l*v "C:\Users\user\AppData\Local\Temp\EMSINWEAgent.log" /qn /norestart REBOOT=ReallySuppress MD5: FE653E9A818C22D7E744320F65A91C09)
  • msiexec.exe (PID: 3920 cmdline: C:\Windows\system32\msiexec.exe /V MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)
    • msiexec.exe (PID: 4788 cmdline: C:\Windows\System32\MsiExec.exe -Embedding D1A53A86C19E57E245B620139E1373F7 MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)
    • msiexec.exe (PID: 4980 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 1108A51BD73D834A7FB678C6DEF8FEAB MD5: FE653E9A818C22D7E744320F65A91C09)
    • msiexec.exe (PID: 6016 cmdline: C:\Windows\System32\MsiExec.exe -Embedding B1D6E94B6C4B7F2DD31CD6178828D99A E Global\MSI0000 MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)
  • NWEAgent.exe (PID: 1256 cmdline: C:\Windows\system32\NWEAgent.exe /runasservice MD5: 02E51CF4B7B7ADA651F41B482C83E0A2)
  • svchost.exe (PID: 2084 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc MD5: 8EC922C7A58A8701AB481B7BE9644536)
  • svchost.exe (PID: 5672 cmdline: C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc MD5: 8EC922C7A58A8701AB481B7BE9644536)
  • svchost.exe (PID: 1148 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WFDSConMgrSvc MD5: 8EC922C7A58A8701AB481B7BE9644536)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 712, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc, ProcessId: 2084, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Exploits
  • Compliance
  • Spreading
  • Networking
  • System Summary
  • Data Obfuscation
  • Persistence and Installation Behavior
  • Boot Survival
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • Language, Device and Operating System Detection
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: nwe-agent-package.exeVirustotal: Detection: 6%Perma Link
Source: nwe-agent-package.exeReversingLabs: Detection: 13%
Source: Submited SampleNeural Call Log Analysis: 99.3%

Exploits

barindex
Source: C:\Windows\System32\NWEAgent.exeFile opened: C:\Windows\system32\ntkrnlmp.exeJump to behavior
Source: nwe-agent-package.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63AC4523-5F19-42F0-BC43-97C8B5373589}Jump to behavior
Source: nwe-agent-package.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\wixca.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: ntkrnlmp.pdbUGP source: NWEAgent.exe, 0000000A.00000003.3096045263.000002490FB40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-uma-release\windows\ECAT\Installer\Release\NWE-Inst.pdb source: nwe-agent-package.exe
Source: Binary string: ntkrnlmp.pdb source: NWEAgent.exe, 0000000A.00000003.3096045263.000002490FB40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-uma-release\windows\ECAT\Client\x64\Release\ECAT-Agent64.pdb source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-agent-msi\windows\ECAT\WixInstaller\CustomActionDll\bin\Release\CustomActionDll32.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000120E000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-kma-release\windows\ECAT\Driver\x64\Release\Ecat.pdb source: NWEDriver24062.sys.9.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\arm64\wixca.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-agent-msi\windows\ECAT\WixInstaller\CustomActionDll\bin\ARM64\Release\CustomActionDllAa64.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-agent-msi\windows\ECAT\WixInstaller\CustomActionDll\bin\Release\CustomActionDll64.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000096F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000003.3014378575.00000000039E1000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-uma-release\windows\ECAT\Client\x64\Release\ECAT-Agent64.pdbGCTL source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmp
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF71791B000.00000008.00000001.01000000.00000005.sdmpString found in binary or memory: http://cmd.exepowershell.exewscript.execscript.exerundll32.exemshta.execommand
Source: NWEAgent.exe, 0000000A.00000003.3389500285.000002490EF3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: NWEAgent.exe, 0000000A.00000003.3224295599.000002490F8EC000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3221612068.000002490EFA4000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3224954494.000002490EFA9000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3231894564.000002490EFA6000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3232401013.000002490F8F3000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3237061831.000002490EFA9000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3227709296.000002490F8EA000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3240460560.000002490F914000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3217079839.000002490EFA4000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3180668120.000002490F909000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3228577055.000002490EFA1000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3377521511.000002490F84A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
Source: NWEAgent.exe, 0000000A.00000003.3209017668.000002490F904000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3216827992.000002490F903000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr;c
Source: NWEAgent.exe, 0000000A.00000003.3276916388.000002490EF8F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micrCa5
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://ocsp.digicert.com0
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://ocsp.digicert.com0A
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmp, NWEDriver24062.sys.9.drString found in binary or memory: http://ocsp.digicert.com0C
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.digicert.com0K
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.digicert.com0N
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ocsp.digicert.com0O
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://ocsp.digicert.com0X
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://wixtoolset.org
Source: NWEDriver24062.sys.9.drString found in binary or memory: http://www.digicert.com/CPS0
Source: NWEAgent.exe, 0000000A.00000003.3290375746.000002490FB54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: NWEAgent.exe, 0000000A.00000003.3096045263.000002490FB40000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.windows.com/stopcodeYour
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\drivers\NWEDriver.sysJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\drivers\NWEDriver.sysJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61867d.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI89C9.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8AB5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{63AC4523-5F19-42F0-BC43-97C8B5373589}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B61.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\NWEAgent.exeJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\drivers\NWEDriver.sysJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9073.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI948B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\618680.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\618680.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA15D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\drivers\NWEDriver24062.sysJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI89C9.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8AB5.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI9073.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI948B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\618680.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI8B61.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIA15D.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\61867d.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\System32\drivers\NWEDriver.sysJump to behavior
Source: NWEDriver.sys.6.drStatic PE information: Number of sections : 12 > 10
Source: NWEDriver24062.sys.9.drStatic PE information: Number of sections : 12 > 10
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs nwe-agent-package.exe
Source: nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewixca.dll\ vs nwe-agent-package.exe
Source: nwe-agent-package.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: NWEDriver24062.sys.9.drBinary string: \Device\Harddisk??\DR??\DEVICE\HARDDISKVOLUMESHADOWCOPY*
Source: NWEDriver24062.sys.9.drBinary string: \Device\Harddisk?\DR?
Source: NWEDriver24062.sys.9.drBinary string: \DEVICE\HARDDISKVOLUME?\DEVICE\HARDDISKVOLUME??
Source: classification engineClassification label: mal68.expl.evad.winEXE@14/33@0/1
Source: C:\Windows\System32\NWEAgent.exeMutant created: NULL
Source: C:\Users\user\Desktop\nwe-agent-package.exeFile created: C:\Users\user\AppData\Local\Temp\NWE000064.msiJump to behavior
Source: nwe-agent-package.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nwe-agent-package.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE Paths SET Location = ? WHERE PK_Paths = ?;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Paths.Struct, Paths.BehaviorStruct, Paths.Location, Paths.PK_Paths, Paths.FK_Modules FROM Paths WHERE PK_Paths = ?;
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: SELECT SUM(pgsize-unused) FROM dbstat WHERE name='Events';
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Paths.Struct, Paths.BehaviorStruct, Paths.Location, Paths.PK_Paths, Paths.FK_Modules FROM PathsLEFT JOIN Modules ON (Modules.PK_Modules = Paths.FK_Modules)WHERE Paths.KeepCycle > 0 AND (IFNULL(Paths.FK_Modules, 0) > 0 OR FileScan > 0 OR Paths.PK_Paths IN (SELECT DISTINCT FK_Paths FROM ScanItems WHERE IFNULL(FK_Modules, 0) = 0));
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT COUNT(*) FROM TrackingEvents;
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: SELECT COUNT(oid) FROM Events;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE Modules SET Struct = ? WHERE PK_Modules = ?;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178F5000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT SUM(pgsize-unused), SUM(unused) FROM dbstat WHERE name=?;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Paths.Struct, Paths.BehaviorStruct, Paths.Location, Paths.PK_Paths, Paths.FK_Modules FROM Paths;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Modules.PK_Modules, Modules.FloatingBehavior, Modules.Struct, Modules.Headers FROM Modules WHERE PK_Modules = ? LIMIT 1;
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS FilePathList (fullFilePath TEXT PRIMARY KEY, modifiedTime INT,optionalParam1 INT,optionalParam2 INT,lastAccessedTime INT,fileHash TEXT REFERENCES FileList(fileHash));
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Certificates.PK_Certificates, Certificates.IsMicrosoft, Certificates.CrlList, Certificates.Struct FROM Certificates;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE Paths SET Struct = ?, Loaded = Loaded | (?), FileScan = FileScan | (?) WHERE PK_Paths = ?;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Paths.Struct, Paths.BehaviorStruct, Paths.Location, Paths.PK_Paths, Paths.FK_Modules FROM Paths WHERE KeyPath = ?;
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS FileList (fileHash TEXT PRIMARY KEY, localRefCount INT,fileJSON TEXT);SELECT * FROM FileList WHERE fileHash=? DELETE FROM FileList WHERE fileHash=? UPDATE FileList SET localRefCount=? WHERE fileHash=? INSERT INTO FileList VALUES (?,?,?)SELECT SUM(pgsize-unused) FROM dbstat WHERE name='FileList'Prepare statement failed for FileRepository create table queryCreating file list table failedPrepare statement failed for FileRepository add new rowPrepare statement failed for FileRepository hash searchCould not get the JSON for the fileCould not get current refernce countCould not set new refernce count valueCould not remove file row from tablePrepare statement failed for FileRepository size queryCould not get file sizePrepare statement failed for FileRepository reference count updateCould not bind reference count to queryCould not execute add reference queryPrepare statement failed delete row in file repository
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS FilePathList (fullFilePath TEXT PRIMARY KEY, modifiedTime INT,optionalParam1 INT,optionalParam2 INT,lastAccessedTime INT,fileHash TEXT REFERENCES FileList(fileHash));SELECT * FROM FilePathList WHERE fullFilePath=? DELETE FROM FilePathList WHERE fullFilePath=? INSERT INTO FilePathList VALUES (?,?,?,?,?,?)SELECT COUNT(*) FROM FilePathListSELECT fullFilePath,fileHash FROM FilePathList ORDER BY lastAccessedTime ASC LIMIT ? SELECT fullFilePath,fileHash FROM FilePathList WHERE lastAccessedTime < ? Prepare statement failed for FilePathRepository create table queryCreating file path table failedPrepare statement failed for FilePathRepository path searchCould not bind file path to queryCould not execute path search queryCould not get the hash for the fileCould not get modfied time entry forCould not get Optional param 1Could not get Optional param 2Could not remove modifed file entryPrepare statement failed for FilePathRepository add referenceCould not add entry to file tablePrepare statement failed for FilePathRepository add new rowCould not bind time to queryCould not bind optional param1 to queryCould not bind optional param2 to queryCould not bind file hash to queryCould not execute hash search queryCould not remove reference to fileUPDATE FilePathList SET lastAccessedTime=CASE WHERE fullFilePath IN (' THEN WHEN fullFilePath='', ' ENDPrepare statement failed for FilePathRepository row count queryCould not execute row count queryCould not get row countPrepare statement failed for FilePathRepository LRU count searchCould not bind count to queryCould not execute LRU count search queryCould not Insert LRU count search results to mapCould not execute LRU time search queryCould not Insert LRU time search results to mapCould not get the path of fileCould not get the hash of fileCould not get next row of resultPrepare statement failed delete row in filepath repositoryCould not execute drop row queryfileCreateTimefileModifyTimefileAccessTimefileAttributesfileFeaturesrpm.packageNamerpm.categorydpkg.packageName
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE Paths SET BehaviorStruct = ?, Loaded = Loaded | (?) WHERE PK_Paths = ?;
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Modules.PK_Modules, Modules.FloatingBehavior, Modules.Struct, Modules.Headers FROM Modules INNER JOIN (SELECT DISTINCT PK_Modules FROM ModulesLEFT JOIN Paths ON(Modules.PK_Modules = Paths.FK_Modules)LEFT JOIN TrackingEvents ON (Modules.PK_Modules = TrackingEvents.FK_Modules)WHERE(Paths.FK_Modules IS NOT NULL AND Paths.KeepCycle > 0) OR(TrackingEvents.FK_Modules IS NOT NULL)) AS mx ON Modules.PK_Modules = mx.PK_Modules;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Modules.PK_Modules, Modules.FloatingBehavior, Modules.Struct, Modules.Headers FROM Modules;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Modules.PK_Modules, Modules.FloatingBehavior, Modules.Struct, Modules.Headers FROM Modules WHERE Hash = ?;
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS FileList (fileHash TEXT PRIMARY KEY, localRefCount INT,fileJSON TEXT);
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Struct, FloatingBehavior FROM ScanItems WHERE Type = ?;
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Struct, FloatingBehavior FROM ScanItems WHERE Type = ? AND FK_Paths = ?;
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: SELECT COUNT(*) FROM TrackingVPID;
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Modules.PK_Modules, Modules.FloatingBehavior, Modules.Struct, Modules.Headers FROM Modules INNER JOIN (SELECT DISTINCT PK_Modules FROM ModulesLEFT JOIN Paths ON(Modules.PK_Modules = Paths.FK_Modules)LEFT JOIN TrackingEvents ON (Modules.PK_Modules = TrackingEvents.FK_Modules)WHERE(Paths.FK_Modules IS NOT NULL AND Paths.KeepCycle > 0) OR(TrackingEvents.FK_Modules IS NOT NULL)) AS mx ON Modules.PK_Modules = mx.PK_Modules UNION SELECT PK_Modules, FloatingBehavior, Struct, Headers FROM Modules WHERE PK_Modules in (%s);
Source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Events (eventString TEXT, sourceFileHash TEXT, targetFileHash TEXT);
Source: NWEAgent.exe, 0000000A.00000000.3076363285.00007FF7178A8000.00000008.00000001.01000000.00000005.sdmpBinary or memory string: SELECT Certificates.PK_Certificates, Certificates.IsMicrosoft, Certificates.CrlList, Certificates.Struct FROM Certificates WHERE Thumbprint = ?;
Source: nwe-agent-package.exeVirustotal: Detection: 6%
Source: nwe-agent-package.exeReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Users\user\Desktop\nwe-agent-package.exe "C:\Users\user\Desktop\nwe-agent-package.exe"
Source: C:\Users\user\Desktop\nwe-agent-package.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "C:\Users\user\AppData\Local\Temp\NWE000064.msi" /l*v "C:\Users\user\AppData\Local\Temp\EMSINWEAgent.log" /qn /norestart REBOOT=ReallySuppress
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding D1A53A86C19E57E245B620139E1373F7
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1108A51BD73D834A7FB678C6DEF8FEAB
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding B1D6E94B6C4B7F2DD31CD6178828D99A E Global\MSI0000
Source: unknownProcess created: C:\Windows\System32\NWEAgent.exe C:\Windows\system32\NWEAgent.exe /runasservice
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WFDSConMgrSvc
Source: C:\Users\user\Desktop\nwe-agent-package.exeProcess created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe /i "C:\Users\user\AppData\Local\Temp\NWE000064.msi" /l*v "C:\Users\user\AppData\Local\Temp\EMSINWEAgent.log" /qn /norestart REBOOT=ReallySuppressJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding D1A53A86C19E57E245B620139E1373F7Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 1108A51BD73D834A7FB678C6DEF8FEABJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\msiexec.exe C:\Windows\System32\MsiExec.exe -Embedding B1D6E94B6C4B7F2DD31CD6178828D99A E Global\MSI0000Jump to behavior
Source: C:\Users\user\Desktop\nwe-agent-package.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\nwe-agent-package.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: appidapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_1_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: servicingcommon.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: tdh.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: ncryptprov.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npsm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npsmdesktopprovider.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: capauthz.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: audioses.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mmdevapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: devicesflowbroker.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wfdsconmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wfdsconmgrsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: deviceassociation.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cfgmgr32.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\NWEAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63AC4523-5F19-42F0-BC43-97C8B5373589}Jump to behavior
Source: nwe-agent-package.exeStatic file information: File size 18776064 > 1048576
Source: nwe-agent-package.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x11cb600
Source: nwe-agent-package.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nwe-agent-package.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nwe-agent-package.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nwe-agent-package.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nwe-agent-package.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nwe-agent-package.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: nwe-agent-package.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: nwe-agent-package.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\agent\_work\79\s\build\ship\x86\wixca.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: ntkrnlmp.pdbUGP source: NWEAgent.exe, 0000000A.00000003.3096045263.000002490FB40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-uma-release\windows\ECAT\Installer\Release\NWE-Inst.pdb source: nwe-agent-package.exe
Source: Binary string: ntkrnlmp.pdb source: NWEAgent.exe, 0000000A.00000003.3096045263.000002490FB40000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-uma-release\windows\ECAT\Client\x64\Release\ECAT-Agent64.pdb source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-agent-msi\windows\ECAT\WixInstaller\CustomActionDll\bin\Release\CustomActionDll32.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000120E000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-kma-release\windows\ECAT\Driver\x64\Release\Ecat.pdb source: NWEDriver24062.sys.9.dr
Source: Binary string: C:\agent\_work\79\s\build\ship\arm64\wixca.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-agent-msi\windows\ECAT\WixInstaller\CustomActionDll\bin\ARM64\Release\CustomActionDllAa64.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-agent-msi\windows\ECAT\WixInstaller\CustomActionDll\bin\Release\CustomActionDll64.pdb source: nwe-agent-package.exe, 00000002.00000000.3003625482.000000000096F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000003.3014378575.00000000039E1000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\A\workspace\netwitness-endpoint-agent\windows\VS2022\windows-uma-release\windows\ECAT\Client\x64\Release\ECAT-Agent64.pdbGCTL source: NWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmp
Source: nwe-agent-package.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nwe-agent-package.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nwe-agent-package.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nwe-agent-package.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nwe-agent-package.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: NWEAgent.exe.6.drStatic PE information: section name: _RDATA
Source: NWEDriver.sys.6.drStatic PE information: section name: .sili0
Source: NWEDriver.sys.6.drStatic PE information: section name: ENCRYPTE
Source: NWEDriver.sys.6.drStatic PE information: section name: .sili3
Source: NWEDriver.sys.6.drStatic PE information: section name: .sili1
Source: NWEDriver.sys.6.drStatic PE information: section name: .sili2
Source: MSIA15D.tmp.6.drStatic PE information: section name: _RDATA
Source: MSI9073.tmp.6.drStatic PE information: section name: _RDATA
Source: MSI948B.tmp.6.drStatic PE information: section name: _RDATA
Source: MSI89C9.tmp.6.drStatic PE information: section name: _RDATA
Source: NWEDriver24062.sys.9.drStatic PE information: section name: .sili0
Source: NWEDriver24062.sys.9.drStatic PE information: section name: ENCRYPTE
Source: NWEDriver24062.sys.9.drStatic PE information: section name: .sili3
Source: NWEDriver24062.sys.9.drStatic PE information: section name: .sili1
Source: NWEDriver24062.sys.9.drStatic PE information: section name: .sili2

Persistence and Installation Behavior

barindex
Source: unknownExecutable created and started: C:\Windows\system32\NWEAgent.exe
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\drivers\NWEDriver.sysJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\drivers\NWEDriver24062.sysJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8AB5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9073.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA15D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\drivers\NWEDriver.sysJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI948B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\drivers\NWEDriver24062.sysJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\NWEAgent.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI89C9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8AB5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9073.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA15D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\drivers\NWEDriver.sysJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI948B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\drivers\NWEDriver24062.sysJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\NWEAgent.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI89C9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWEAgentJump to behavior
Source: C:\Windows\System32\NWEAgent.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWEAgentJump to behavior
Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NWEAgent XCCJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\NWEAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\NWEAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\System32\NWEAgent.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.22621.4111.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3672.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.4317.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Client-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.22621.4460.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.4036.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.3672.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2792.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Client-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3672.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.22621.4111.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3447.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3958.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.3810.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.1.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3880.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.22621.4460.catJump to behavior
Source: C:\Windows\System32\NWEAgent.exeFile opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catJump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8AB5.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9073.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA15D.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\drivers\NWEDriver.sysJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI948B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\drivers\NWEDriver24062.sysJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI89C9.tmpJump to dropped file
Source: C:\Windows\System32\NWEAgent.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hmicrosoft-hyper-v-offline-core-group-merged-j
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3672.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3180668120.000002490F8DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.22621.4391_none_168f855dda736413\vmms.exeHint
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FABF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3185854005.000002490F8ED000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.22621.4391_none_5ec
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3880.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3185854005.000002490F8ED000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.cat
Source: NWEAgent.exe, 0000000A.00000003.3185854005.000002490F90C000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Tmicrosoft-hyper-v-online-services-package0{
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.22621.4460.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3958.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3096045263.000002490FB40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: AVMWAREEtw
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FABF000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Client-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.4036.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3096045263.000002490FB40000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: AVMWARE
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3389500285.000002490EF3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.22621.4391_none_b25762bf3596fd70\vmbkmclr.sys0*
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FABF000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Client-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.3810.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FABF000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Zmicrosoft-hyper-v-offline-core-group-package0{
Source: NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.2262{
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FABF000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3672.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.4317.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3389500285.000002490EF3D000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3563701320.000002490EF58000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3418004296.000002490EF5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.22621.3672_none_b234d9b935b13b0f\vmbkmclr.sys0*
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.4391.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3217180030.000002490EF78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft-Hyper-V-Offline-Core-Group-PackageckageRs%
Source: NWEAgent.exe, 0000000A.00000003.3185854005.000002490F8ED000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.cat
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-AzureVirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3180668120.000002490F8DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.22621.1_none_dc44edbb14b5c8bf\vid.dllHintD
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22621.3672.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.22621.4460.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3185854005.000002490F8ED000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catI
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3180668120.000002490F8DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.22621.3672_none_d521f62dd21bbe3b\vsconfig.dll
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.22621.3447.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FABF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.22621.4111.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.22621.4111.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FABF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.1.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3185854005.000002490F8ED000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2506.cato
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.22621.2792.catMicrosoft Windowsq
Source: NWEAgent.exe, 0000000A.00000003.3179098547.000002490FB41000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FABF000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3178149253.000002490FA3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Feature-VirtualMachinePlatform-Client-Package~31bf3856ad364e35~amd64~~10.0.22621.4455.catMicrosoft Windows
Source: NWEAgent.exe, 0000000A.00000003.3182014647.000002490FC37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.22621.4169.catMicrosoft Windows
Source: C:\Windows\System32\NWEAgent.exeSystem information queried: ModuleInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\NWEAgent.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\NWEAgent.exeQueries volume information: C:\Windows\System32\ntkrnlmp.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\NWEAgent.exeQueries volume information: C:\Windows\System32\NWEAgent.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\NWEAgent.exeQueries volume information: C:\Windows\System32\drivers\NWEDriver24062.sys VolumeInformationJump to behavior
Source: C:\Windows\System32\NWEAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: NWEAgent.exe, 0000000A.00000003.3359948176.000002490FB4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ws-defender-service_31bf3856ad364e35_10.0.22621.1_none_273bee824a8ac431\msmpeng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		Windows Management Instrumentation31
Windows Service		1
Exploitation for Privilege Escalation		13
Masquerading		OS Credential Dumping131
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		31
Windows Service		1
Modify Registry		LSASS Memory12
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Process Injection		12
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Process Injection		NTDS11
Peripheral Device Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets24
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1667754 Sample: nwe-agent-package.exe Startdate: 17/04/2025 Architecture: WINDOWS Score: 68 39 Multi AV Scanner detection for submitted file 2->39 41 Drops executables to the windows directory (C:\Windows) and starts them 2->41 43 Joe Sandbox ML detected suspicious sample 2->43 6 msiexec.exe 101 40 2->6         started        10 NWEAgent.exe 12 67 2->10         started        13 nwe-agent-package.exe 1 1 2->13         started        15 3 other processes 2->15 process3 dnsIp4 29 C:\Windows\System3229WEAgent.exe, PE32+ 6->29 dropped 31 C:\Windows\System32\drivers31WEDriver.sys, PE32+ 6->31 dropped 33 C:\Windows\Installer\MSIA15D.tmp, PE32+ 6->33 dropped 35 4 other files (none is malicious) 6->35 dropped 47 Sample is not signed and drops a device driver 6->47 17 msiexec.exe 1 6->17         started        21 msiexec.exe 6->21         started        23 msiexec.exe 6->23         started        37 192.168.73.110, 444 unknown unknown 10->37 49 Query firmware table information (likely to detect VMs) 10->49 51 Accesses ntoskrnl, likely to find offsets for exploits 10->51 25 msiexec.exe 1 13->25         started        file5 signatures6 process7 file8 27 C:\Windows\System32\...27WEDriver24062.sys, PE32+ 17->27 dropped 45 Sample is not signed and drops a device driver 17->45 signatures9

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
nwe-agent-package.exe7%VirustotalBrowse
nwe-agent-package.exe13%ReversingLabs
SAMPLE100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\Installer\MSI89C9.tmp0%ReversingLabs
C:\Windows\Installer\MSI8AB5.tmp0%ReversingLabs
C:\Windows\Installer\MSI9073.tmp0%ReversingLabs
C:\Windows\Installer\MSI948B.tmp0%ReversingLabs
C:\Windows\Installer\MSIA15D.tmp0%ReversingLabs
C:\Windows\System32\NWEAgent.exe0%ReversingLabs
C:\Windows\System32\drivers\NWEDriver.sys0%ReversingLabs
C:\Windows\System32\drivers\NWEDriver24062.sys0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.micrCa50%Avira URL Cloudsafe
http://cmd.exepowershell.exewscript.execscript.exerundll32.exemshta.execommand0%Avira URL Cloudsafe
http://crl.micr0%Avira URL Cloudsafe
http://crl.micr;c0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://cmd.exepowershell.exewscript.execscript.exerundll32.exemshta.execommandNWEAgent.exe, 0000000A.00000000.3076363285.00007FF71791B000.00000008.00000001.01000000.00000005.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://www.winimage.com/zLibDllNWEAgent.exe, 0000000A.00000000.3072218970.00007FF717713000.00000002.00000001.01000000.00000005.sdmpfalse
    		high
    http://wixtoolset.orgnwe-agent-package.exe, 00000002.00000000.3003625482.000000000038F000.00000002.00000001.01000000.00000003.sdmp, nwe-agent-package.exe, 00000002.00000000.3003625482.0000000000F82000.00000002.00000001.01000000.00000003.sdmpfalse
      		high
      http://crl.micrNWEAgent.exe, 0000000A.00000003.3224295599.000002490F8EC000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3221612068.000002490EFA4000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3224954494.000002490EFA9000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3231894564.000002490EFA6000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3232401013.000002490F8F3000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3237061831.000002490EFA9000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3227709296.000002490F8EA000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3240460560.000002490F914000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3217079839.000002490EFA4000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3180668120.000002490F909000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3228577055.000002490EFA1000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3377521511.000002490F84A000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.micr;cNWEAgent.exe, 0000000A.00000003.3209017668.000002490F904000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3216827992.000002490F903000.00000004.00000020.00020000.00000000.sdmp, NWEAgent.exe, 0000000A.00000003.3182901954.000002490F8EA000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://crl.micrCa5NWEAgent.exe, 0000000A.00000003.3276916388.000002490EF8F000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.windows.com/stopcodeYourNWEAgent.exe, 0000000A.00000003.3096045263.000002490FB40000.00000004.00001000.00020000.00000000.sdmpfalse
        		high
        http://www.microsoft.coNWEAgent.exe, 0000000A.00000003.3290375746.000002490FB54000.00000004.00000020.00020000.00000000.sdmpfalse
          		high

          World Map of Contacted IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious

          Private

          IP
          192.168.73.110

          General Information

          Joe Sandbox version:42.0.0 Malachite
          Analysis ID:1667754
          Start date and time:2025-04-17 19:01:11 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 51s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsinteractivecookbook.jbs
          Analysis system description:Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
          Run name:Potential for more IOCs and behavior
          Number of analysed new started processes analysed:22
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:nwe-agent-package.exe
          Detection:MAL
          Classification:mal68.expl.evad.winEXE@14/33@0/1
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): dllhost.exe, SystemSettingsBroker.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe
          • Excluded IPs from analysis (whitelisted): 104.18.38.233, 172.64.149.23, 20.12.23.50
          • Excluded domains from analysis (whitelisted): crt.comodoca.com.cdn.cloudflare.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com, crt.comodoca.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtCreateFile calls found.
          • Report size getting too big, too many NtEnumerateKey calls found.
          • Report size getting too big, too many NtOpenFile calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Windows\Installer\MSI8AB5.tmp#U00d6szt#U00f6nd#U00edjprogram.msiGet hashmaliciousAteraAgentBrowse
            processo974974.msiGet hashmaliciousAteraAgentBrowse
              https://imsva91-ctp.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fappilux%2dmy.sharepoint.com%2f%3ab%3a%2fg%2fpersonal%2fsecretariat%5fappilux%5flu%2fEe5UD1cl52dHj%2dVLeIpwkDYBBX3sg2bYeM8V7O8pj4eIMw&umid=2C4E7276-3243-0106-B45A-068FB3E2ED70&auth=f169b906840ce9acfa46d9fc91ed05165e9c9b8f-de32ef97c8b75119951b7c637a5ebd9dd5ba33ecGet hashmaliciousUnknownBrowse
                https://www.google.com/url?q=https://villemonteil-my.sharepoint.com/:b:/g/personal/jerome_lassince_villemonteilaquitaine_fr/ES2_j_QZ4phKlfTEI8NeZ1kBC_b5oFLt_ua02wACxZi9Zg&source=gmail&ust=1744104792241000&usg=AOvVaw0zD3X5FizCnSCzMz7NmTiRGet hashmaliciousUnknownBrowse
                  SeraphicSecurity_3ce70be9df6fdb942f72600d8492175bc8bcdc5b94520facce66549f8f7e1a47.msiGet hashmaliciousUnknownBrowse
                    SeraphicSecurity_3ce70be9df6fdb942f72600d8492175bc8bcdc5b94520facce66549f8f7e1a47.msiGet hashmaliciousUnknownBrowse
                      Microsoft.HEVCVideoExtensions.Installer.x64.msiGet hashmaliciousUnknownBrowse
                        SeraphicSecurity_e08fcb76f26923d577ecad3e35d45725bb9f8295766543006f1a2e0aea5a6370.msiGet hashmaliciousUnknownBrowse
                          SeraphicSecurity_f605c43a4f26313c6228c8fa342de4539f09081dc4e4ffc66e0f5d0a0634e99d.msiGet hashmaliciousUnknownBrowse

                            Created / dropped Files

                            C:\Config.Msi\61867f.rbs

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):3179384
                            Entropy (8bit):4.582395811736858
                            Encrypted:false
                            SSDEEP:24576:lduOrEMlfaaWBRMCtk5F9liAgHlD5hk09TCt2roL9oM56FJgu0WMBytSbXh2CjuK:+OYMlfxW9s
                            MD5:F3F41378937DC640448E5DFB13AD858A
                            SHA1:85E955F622C9DE7A28A1E50D5159DA16741508FB
                            SHA-256:5CF90533B0360839AA6D88AE398A584647DA0F396FB3724861BA88577EC726BB
                            SHA-512:4C276E0F761E6841B2551468D5FD31C3FA59A33C9686D1F366158550F20B3253F8665D6584C742BD12C7B68FA817C61DBFF4F1126AC11413479287BB485C5F1E
                            Malicious:false
                            Reputation:low
                            Preview:...@IXOS.@.....@Qh.Z.@.....@.....@.....@.....@.....@......&.{63AC4523-5F19-42F0-BC43-97C8B5373589}..NWE Agent..NWE000064.msi.@.....@.....@.....@........&.{B9E33C19-6A15-4785-AE6F-0B9E88A1ED01}.....@.....@.....@.....@.......@.....@.....@.......@......NWE Agent......Rollback..Rolling back action: [1]....RollbackCleanup..Removing backup files File: [1]....ProcessComponents..Updating component registration..&.{8CD250C4-0F5F-41DC-A58F-13B8903CC0B5}&.{63AC4523-5F19-42F0-BC43-97C8B5373589}.@......&.{F8822897-02B3-4DCF-8F22-0B7C7F854D86}&.{63AC4523-5F19-42F0-BC43-97C8B5373589}.@......&.{BBB4955D-F817-44E6-98D0-CBAE66480AA3}&.{63AC4523-5F19-42F0-BC43-97C8B5373589}.@......&.{BBB4955D-F817-44E6-98D0-CBAE66480AA3}&.{00000000-0000-0000-0000-000000000000}.@......&.{BBB4955D-F817-44E6-98D0-CBAE66480AA4}&.{63AC4523-5F19-42F0-BC43-97C8B5373589}.@......&.{BBB4955D-F817-44E6-98D0-CBAE66480AA4}&.{00000000-0000-0000-0000-000000000000}.@......&.{BBB4955D-F817-44E6-98D0-CBAE66480AA5}&.{63AC4523-5F19-42F0-BC4

                            C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\22d054ef31e8eb26e412c40d04e533a9_72b7a154-2689-4eb9-b5bb-c54d7ffd1496

                            Download File
                            Process:C:\Windows\System32\NWEAgent.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):50
                            Entropy (8bit):1.4812424590621707
                            Encrypted:false
                            SSDEEP:3:/lvlcie:Te
                            MD5:05C4436823C88A05C48AB37EC2F9EDC8
                            SHA1:383C50BBF2E04F4B766934FE9B3C8F7BD0CFB2C7
                            SHA-256:1DC1F3090755AB8E3189D748143B9498843C8E4C26913639C475F19EC824B7DA
                            SHA-512:938BD61206DD4A47897C735FE71E2379FB2EAB0D39D11224C166916675C041C1B17583F174D4DC338462420853B09BB34F96C1E1F56D77BDCC1549BD23FCC557
                            Malicious:false
                            Preview:........................................user-PC$.

                            C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\efa68ab7be5377a7dd174847cd4fe9a0_72b7a154-2689-4eb9-b5bb-c54d7ffd1496

                            Download File
                            Process:C:\Windows\System32\NWEAgent.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):2251
                            Entropy (8bit):7.636906761686371
                            Encrypted:false
                            SSDEEP:48:s4EhrjtW3srnwUsszNitu4aRbIAi49HfZCfEK93dAplP8n4m:s4GjtW3srwzsza3aVIkdRCV6t8n4m
                            MD5:FDA086AEE51782CB4F484F555447D6E7
                            SHA1:BE773F8C8C11385EFACC6D4DC808F745429B2AF2
                            SHA-256:82A4EBC105D9D64C2A7A30DE0053D88E8AD43180473748724E5754EEF4408473
                            SHA-512:EA5D28C5B46A3EDA2448BBF73D2143F958A307BB7D1D1E226B1287128DA23228AF62F0A683CC0B8E8FECBA05159BFE552C1126EE3BE778FFC2AD411A343DE8E7
                            Malicious:false
                            Preview:........'...............P...............{31CC5739-FE47-4216-92D8-AE7A00AEDA45}.....................RSA1................U.-...,7.Q....:r..8..w...(I.=Kv8C..}5.............*.J...2.Dv)x.9...}.4J.*$$...E..)G......8..k...2..g.U.:.....yjS....:...:2z..z..p..#.i#.DOB.2EU4..2.?z........FR..x\..vA.8..x.n.@.........[.@...Mk=.].F.nv ^BC....|xG.{.X.l+. .Gs6..|...WA..W.......................z..O......>.?.?..O.c>5rp.,....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ...<...N.^?.r.J.........D...VZQ?............... ......9.l8V.....X..+._../<t..PQo.P...^.1U...J..:..L..8.S.W].R.....&...[....w....[..:u...J.,)....O...A..Y...j.Ym.U......1....j..#^.%.#.q...$D.(..L...LT.=.s..Sq.nW.3Az.G...i....e.*lG..l.-...k.q.. 4i.........){.l_.].f... M.......gx..Q..Tt..x.....%+...i,.....E`2g..=}.*......&_.a1..\.f......0.7x......r.a.,...:g.J#...y..w......)5.ah..s/..{Fy.GUj..4..A>1...A.c6....u..i.....8D....^..'...$..6..U.....>...D...G.m........W..h).T........n\.6.h...I

                            C:\ProgramData\NWEAgent\51713B93

                            Download File
                            Process:C:\Windows\System32\NWEAgent.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):94208
                            Entropy (8bit):7.998325982500332
                            Encrypted:true
                            SSDEEP:1536:lnnRbeTqZ/Kq7SECa14U6AR+8CLgIJFx0bODzex7awgjv2L41OapDDonWeBDrGo2:lDZ/eEPaR0+8CL7xzM7zM+J63onWXdbT
                            MD5:17FB960B3904C18B84534C6B3C5CB5BF
                            SHA1:881873351FDF5CF16B9FB5F38EEDB2A86D74691C
                            SHA-256:69904DABC5B3B0F82FE28156446B8503044A6A50E2F885247D9D45887B7AED4D
                            SHA-512:1CC31F95892D38F79538861955B013862728C68F8F7707B157FA74E83A7385F67A905D36196AE5DF52E1E099BB199BFC499D64E7739CF47747152958E5256315
                            Malicious:false
                            Preview:(....;.....v........@ .n..h+~2...J.......m.4M._...m..4....!.,.:...{.e...W...F.zW.4..H......A.7.u..y!.u.>..B..XW...Y..-..._..T;5q.p~Q.,=.fW.)..-}t....Dp..2.s.O..;:.O..e<.a.....>m..r.Eh......&.R-.C..*..',......sgU..J..&.Dv..I.9A3.H...$..2..n..V.oxIk.tM..d.:.z...*.6./..Z...7b...9.s..Qz...j....0..7.....".9.......KS$5....UC{........{.,~I..$.".%........&..X..3....(?..W&.....p....+a.............@3....N....c.?d...(S....k..y..69....:....1.V..J...tJ.4[.3...?...h..@.E...n.t)1C0.B.vD.....>@0r.w...5..4B...2..O...OL.xI...~....1U.z..W.R...I.L.{ ....BE.^...w.<......G..o="..E..h..vP.Ib...Otn./b..AE:H(..9.....YS.Vj..<.'+..v.C.a...:T.).....E( ...;.D....C.5.I..b........6.D\...]V......>..Bs.v.1...#wv...m...O........[}.r.<3.D..eW].'6.+....f.\.c_..".r~......9...AK..n.R\..Q.@.!...p...[..!..}.5.nJ.zV...n..BdI.......z'......$Af....^...v....#P.R.....Gt..N.u.$.,G.._.[.b0.....Y...E.f.Y.,.._o0....B....hg-...+.....z.1.,r.$dJ....h..9.i/.<...A..4@.~..........g..+d.....r..c.].B.f..T

                            C:\ProgramData\NWEAgent\51713B93-journal

                            Download File
                            Process:C:\Windows\System32\NWEAgent.exe
                            File Type:SQLite Rollback Journal
                            Category:modified
                            Size (bytes):12824
                            Entropy (8bit):7.890254874600593
                            Encrypted:false
                            SSDEEP:384:7zoZHJbhAllvhYK5Mb93WDE0kxjCVqJ0G:3oZH92l/jMb93WDE0kRIG
                            MD5:2DBE60AE53473A171C1BD0DE91B92B51
                            SHA1:F6C80F65E3DCBE40FF65A6F9E864814125AAA3E0
                            SHA-256:1B7CCD8CD18727283F5F5D6AB2F4741C32DF3E15D65029586CF25D792489D8FB
                            SHA-512:6E7961E19F8E94D3483CD50C78FFAE7805297CC03C4FEC348024ABF0F00D4A812253BDE7DCAEF8A804FB5CA93329D7A2C9A219CCE22B9E61349DC33D69A5C1D8
                            Malicious:false
                            Preview:.... .c......Z.R.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$....0l.%.[S..[.4=.DJ/s..v.w..T6>c~"..O6A .M...d.m..........S..-1TI.w.=. EH....*.F.....*..%....@...PTl..<.uNd...........^...S@+}.9c.."..|.@.....C...g.......].7.k.gUI.m%H..]v.v....&........'.r..>..I@i..e(L?(<w.Q.S...)qM.h.. .JM......`..v3U...m......(}s.2.Ky)..2.0.u..0.J....{...RY.T..b"..?..E..qr...%..3*9.p...S3..2..........R.yM...).q...8.j..V....R...g..tL......_..Z.e.z?.x../..F..[:..y...V..].u!..WC*.[w........!...og..Y|%4o........2..dR...!.*....

                            C:\Users\user\AppData\Local\Temp\EMSINWEAgent.log

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):215276
                            Entropy (8bit):3.747010735053765
                            Encrypted:false
                            SSDEEP:1536:V0yBnjNIIGxE9DgmGCaiR4kJI/8emWYDdM/GPrujDVymewenKRjUiFS3/CB2L7Fr:V6jUiFS3/CB23FysetGgaq3LLLId
                            MD5:2CC6A448256F96F7B4ACA095DE111A4B
                            SHA1:9E99CEAC98A7FA544F9311CFD46856741AC5A77A
                            SHA-256:68FE49B69A871B7A4BCB95AFCFC4F41E9CFBA5C43814AD5C712B062FAE22BBE1
                            SHA-512:E1A0804E0AAD81C900220FF483D83A5711D8D9C869CAB136ADF3E6B277F4AFB1A961FB5924523061B8623186A4DBF05F0897164B2913B6B2C05ADEFCB9B944C1
                            Malicious:false
                            Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.7./.0.4./.2.0.2.5. . .1.3.:.0.2.:.3.0. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.E.8.:.A.4.). .[.1.3.:.0.2.:.3.0.:.2.3.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.E.8.:.A.4.). .[.1.3.:.0.2.:.3.0.:.2.3.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.E.8.:.A.4.). .[.1.3.:.0.2.:.3.0.:.2.3.7.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.U.s.e.r.s.\.M.a.o.g.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.N.W.E.0.0.0.0.6.4...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.E.8.:.A.4.). .[.1.3.:.0.

                            C:\Users\user\AppData\Local\Temp\NWE000064.msi

                            Download File
                            Process:C:\Users\user\Desktop\nwe-agent-package.exe
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: NWE Agent, Author: RSA Security LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install NWE Agent., Template: x64;1033, Create Time/Date: Mon Jul 1 00:08:20 2024, Last Saved Time/Date: Mon Jul 1 00:08:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Revision Number: {B9E33C19-6A15-4785-AE6F-0B9E88A1ED01}
                            Category:dropped
                            Size (bytes):6500352
                            Entropy (8bit):6.978712046281683
                            Encrypted:false
                            SSDEEP:49152:T9IW6pFdmHWWzeItpX2d1xocBVgFsdmAhgQUAlKSDmBWzQ2qGn0gcRJOYMlfxWC3:2fFdmHWkztV42cHOQ/KSkWk2qoGJODM
                            MD5:0E4DC0B288F2458C06C22A1432D18FE2
                            SHA1:8339F730C874B2BF0F00C6E7D9A5FC33E86FA2F6
                            SHA-256:9744FF98C4756D1EA2101B6C7AF01B6C6EF96A34D19AEF1A16E9302979B4A896
                            SHA-512:5593CBE3E223839F1A6944D684A5F743CAFE325B67C3517B165AF8C77C95870DB86FE7DB35D7B435994DB59EB530D6A833E32B1DE0E2E5CC90C40CE148A125A7
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\61867d.msi

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: NWE Agent, Author: RSA Security LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install NWE Agent., Template: x64;1033, Create Time/Date: Mon Jul 1 00:08:20 2024, Last Saved Time/Date: Mon Jul 1 00:08:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Revision Number: {B9E33C19-6A15-4785-AE6F-0B9E88A1ED01}
                            Category:dropped
                            Size (bytes):6500352
                            Entropy (8bit):6.978712046281683
                            Encrypted:false
                            SSDEEP:49152:T9IW6pFdmHWWzeItpX2d1xocBVgFsdmAhgQUAlKSDmBWzQ2qGn0gcRJOYMlfxWC3:2fFdmHWkztV42cHOQ/KSkWk2qoGJODM
                            MD5:0E4DC0B288F2458C06C22A1432D18FE2
                            SHA1:8339F730C874B2BF0F00C6E7D9A5FC33E86FA2F6
                            SHA-256:9744FF98C4756D1EA2101B6C7AF01B6C6EF96A34D19AEF1A16E9302979B4A896
                            SHA-512:5593CBE3E223839F1A6944D684A5F743CAFE325B67C3517B165AF8C77C95870DB86FE7DB35D7B435994DB59EB530D6A833E32B1DE0E2E5CC90C40CE148A125A7
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\618680.msi

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: NWE Agent, Author: RSA Security LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install NWE Agent., Template: x64;1033, Create Time/Date: Mon Jul 1 00:08:20 2024, Last Saved Time/Date: Mon Jul 1 00:08:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Revision Number: {B9E33C19-6A15-4785-AE6F-0B9E88A1ED01}
                            Category:dropped
                            Size (bytes):6500352
                            Entropy (8bit):6.978712046281683
                            Encrypted:false
                            SSDEEP:49152:T9IW6pFdmHWWzeItpX2d1xocBVgFsdmAhgQUAlKSDmBWzQ2qGn0gcRJOYMlfxWC3:2fFdmHWkztV42cHOQ/KSkWk2qoGJODM
                            MD5:0E4DC0B288F2458C06C22A1432D18FE2
                            SHA1:8339F730C874B2BF0F00C6E7D9A5FC33E86FA2F6
                            SHA-256:9744FF98C4756D1EA2101B6C7AF01B6C6EF96A34D19AEF1A16E9302979B4A896
                            SHA-512:5593CBE3E223839F1A6944D684A5F743CAFE325B67C3517B165AF8C77C95870DB86FE7DB35D7B435994DB59EB530D6A833E32B1DE0E2E5CC90C40CE148A125A7
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\MSI89C9.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):3127808
                            Entropy (8bit):4.575053685939914
                            Encrypted:false
                            SSDEEP:24576:vduOrEMlfaaWBRMCtk5F9liAgHlD5hk09TCt2roL9oM56FJgu0WMBytSbXh2CjuZ:8OYMlfxW9
                            MD5:0A1C23151A737CD6F007A33500F06722
                            SHA1:6F86EF996A9702339B686AC1E596BC277E151404
                            SHA-256:CB43317B7EC8792DBD57B2186EF51C0CB544C651676D2A6448B2663955A0C1EA
                            SHA-512:771CEAAC3FA63F340BFD0719521F2700700E208405E07E6D0750D859C11422665F735A7882ED299CB4AE19B841EBED311AEB74EF3C474C3F9ADC4D5B9D7FF497
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........M..M..M......H.............G......j......B......D..D.!.L..D.&.K.....A......R..M..V......n......L....Z.L..M.2.L......L..RichM..........................PE..d.....f.........." ..."......-..............................................00...........`..........................................t/.....h./.......0......./.. ........... 0......F/.p...........................@E/.@............... ............................text............................... ..`.rdata....,.......,.................@..@.data...X/..../......|/.............@....pdata... ..../.."..../.............@..@_RDATA..\.....0......./.............@..@.rsrc.........0......./.............@..@.reloc....... 0......./.............@..B........................................................................................................................................................

                            C:\Windows\Installer\MSI8AB5.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Category:dropped
                            Size (bytes):216496
                            Entropy (8bit):6.646208142644182
                            Encrypted:false
                            SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                            MD5:A3AE5D86ECF38DB9427359EA37A5F646
                            SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                            SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                            SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Joe Sandbox View:
                            • Filename: #U00d6szt#U00f6nd#U00edjprogram.msi, Detection: malicious, Browse
                            • Filename: processo974974.msi, Detection: malicious, Browse
                            • Filename: , Detection: malicious, Browse
                            • Filename: , Detection: malicious, Browse
                            • Filename: SeraphicSecurity_3ce70be9df6fdb942f72600d8492175bc8bcdc5b94520facce66549f8f7e1a47.msi, Detection: malicious, Browse
                            • Filename: SeraphicSecurity_3ce70be9df6fdb942f72600d8492175bc8bcdc5b94520facce66549f8f7e1a47.msi, Detection: malicious, Browse
                            • Filename: Microsoft.HEVCVideoExtensions.Installer.x64.msi, Detection: malicious, Browse
                            • Filename: SeraphicSecurity_e08fcb76f26923d577ecad3e35d45725bb9f8295766543006f1a2e0aea5a6370.msi, Detection: malicious, Browse
                            • Filename: SeraphicSecurity_f605c43a4f26313c6228c8fa342de4539f09081dc4e4ffc66e0f5d0a0634e99d.msi, Detection: malicious, Browse
                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\MSI8B61.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9429628
                            Entropy (8bit):4.5753725325362335
                            Encrypted:false
                            SSDEEP:24576:WduOrEMlfaaWBRMCtk5F9liAgHlD5hk09TCt2roL9oM56FJgu0WMBytSbXh2Cjuh:hOYMlfxW9GOYMlfxW92OYMlfxW9D
                            MD5:4C4ADDAC8D4C4FA2AF4B7F295D9CCC8F
                            SHA1:A3FA24293C0A95AAD59F974C85C9E91CCCA6BE62
                            SHA-256:56422C7DDEDA7246B06794CAB8DED4FAC41A6EF5E4D9395D60D652F09E18DC22
                            SHA-512:6510D40C0D3F154083BA8C1BC6E584E77315826B4C5B405233BA38E44070BBB2F320327A129B897728AE31E2D904CB35F20FE93271DBBA7A240D2C911745D264
                            Malicious:false
                            Preview:...@IXOS.@.....@Ph.Z.@.....@.....@.....@.....@.....@......&.{63AC4523-5F19-42F0-BC43-97C8B5373589}..NWE Agent..NWE000064.msi.@.....@.....@.....@........&.{B9E33C19-6A15-4785-AE6F-0B9E88A1ED01}.....@.....@.....@.....@.......@.....@.....@.......@......NWE Agent......Rollback..Rolling back action: [1]....RollbackCleanup..Removing backup files File: [1].....@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{8CD250C4-0F5F-41DC-A58F-13B8903CC0B5}).C:\Windows\system32\drivers\NWEDriver.sys.@.......@.....@.....@......&.{F8822897-02B3-4DCF-8F22-0B7C7F854D86} .C:\Windows\system32\NWEAgent.exe.@.......@.....@.....@......&.{BBB4955D-F817-44E6-98D0-CBAE66480AA3};.22:\System\CurrentControlSet\Services\NWEAgent\ServiceProxy.@.......@.....@.....@...........@....&.{00000000-0000-0000-0000-000000000000}.@.....@.....@......&.{BBB4955D-F817-44E6-98D0-CBAE66480AA4}2.22:\System\CurrentControlSet\Services\NWEAgent\XCC.@.......@.....@.....@...........@....&.{00000000

                            C:\Windows\Installer\MSI9073.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):3127808
                            Entropy (8bit):4.575053685939914
                            Encrypted:false
                            SSDEEP:24576:vduOrEMlfaaWBRMCtk5F9liAgHlD5hk09TCt2roL9oM56FJgu0WMBytSbXh2CjuZ:8OYMlfxW9
                            MD5:0A1C23151A737CD6F007A33500F06722
                            SHA1:6F86EF996A9702339B686AC1E596BC277E151404
                            SHA-256:CB43317B7EC8792DBD57B2186EF51C0CB544C651676D2A6448B2663955A0C1EA
                            SHA-512:771CEAAC3FA63F340BFD0719521F2700700E208405E07E6D0750D859C11422665F735A7882ED299CB4AE19B841EBED311AEB74EF3C474C3F9ADC4D5B9D7FF497
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........M..M..M......H.............G......j......B......D..D.!.L..D.&.K.....A......R..M..V......n......L....Z.L..M.2.L......L..RichM..........................PE..d.....f.........." ..."......-..............................................00...........`..........................................t/.....h./.......0......./.. ........... 0......F/.p...........................@E/.@............... ............................text............................... ..`.rdata....,.......,.................@..@.data...X/..../......|/.............@....pdata... ..../.."..../.............@..@_RDATA..\.....0......./.............@..@.rsrc.........0......./.............@..@.reloc....... 0......./.............@..B........................................................................................................................................................

                            C:\Windows\Installer\MSI948B.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):3127808
                            Entropy (8bit):4.575053685939914
                            Encrypted:false
                            SSDEEP:24576:vduOrEMlfaaWBRMCtk5F9liAgHlD5hk09TCt2roL9oM56FJgu0WMBytSbXh2CjuZ:8OYMlfxW9
                            MD5:0A1C23151A737CD6F007A33500F06722
                            SHA1:6F86EF996A9702339B686AC1E596BC277E151404
                            SHA-256:CB43317B7EC8792DBD57B2186EF51C0CB544C651676D2A6448B2663955A0C1EA
                            SHA-512:771CEAAC3FA63F340BFD0719521F2700700E208405E07E6D0750D859C11422665F735A7882ED299CB4AE19B841EBED311AEB74EF3C474C3F9ADC4D5B9D7FF497
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........M..M..M......H.............G......j......B......D..D.!.L..D.&.K.....A......R..M..V......n......L....Z.L..M.2.L......L..RichM..........................PE..d.....f.........." ..."......-..............................................00...........`..........................................t/.....h./.......0......./.. ........... 0......F/.p...........................@E/.@............... ............................text............................... ..`.rdata....,.......,.................@..@.data...X/..../......|/.............@....pdata... ..../.."..../.............@..@_RDATA..\.....0......./.............@..@.rsrc.........0......./.............@..@.reloc....... 0......./.............@..B........................................................................................................................................................

                            C:\Windows\Installer\MSIA15D.tmp

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Category:modified
                            Size (bytes):3127808
                            Entropy (8bit):4.575053685939914
                            Encrypted:false
                            SSDEEP:24576:vduOrEMlfaaWBRMCtk5F9liAgHlD5hk09TCt2roL9oM56FJgu0WMBytSbXh2CjuZ:8OYMlfxW9
                            MD5:0A1C23151A737CD6F007A33500F06722
                            SHA1:6F86EF996A9702339B686AC1E596BC277E151404
                            SHA-256:CB43317B7EC8792DBD57B2186EF51C0CB544C651676D2A6448B2663955A0C1EA
                            SHA-512:771CEAAC3FA63F340BFD0719521F2700700E208405E07E6D0750D859C11422665F735A7882ED299CB4AE19B841EBED311AEB74EF3C474C3F9ADC4D5B9D7FF497
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$...........M..M..M......H.............G......j......B......D..D.!.L..D.&.K.....A......R..M..V......n......L....Z.L..M.2.L......L..RichM..........................PE..d.....f.........." ..."......-..............................................00...........`..........................................t/.....h./.......0......./.. ........... 0......F/.p...........................@E/.@............... ............................text............................... ..`.rdata....,.......,.................@..@.data...X/..../......|/.............@....pdata... ..../.."..../.............@..@_RDATA..\.....0......./.............@..@.rsrc.........0......./.............@..@.reloc....... 0......./.............@..B........................................................................................................................................................

                            C:\Windows\Installer\SourceHash{63AC4523-5F19-42F0-BC43-97C8B5373589}

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):1.163122068594216
                            Encrypted:false
                            SSDEEP:12:JSbX72FjFAGiLIlHVRpiBh/7777777777777777777777777vDHFNfTdPp7l0i8Q:JLQI5A7fTdUF
                            MD5:6E277C892E9A36FB8E04BDAC4EFF5379
                            SHA1:734B4EC595DDF384EDBA245816BC8F58819B56D6
                            SHA-256:D1AC0A40EF32764B8A8018290141498F6C62BD238F22ABBEAE38FF339A9C2234
                            SHA-512:26AE41012F4D5D5A8DFDB276D70CD8C8EAED101BDD672C8C2C494363BAD45265DC4A12CA298BA2C435B588DA592803502E558AE5E3EE780B858DBC952BE0E9ED
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Installer\inprogressinstallinfo.ipi

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):1.4624231405487187
                            Encrypted:false
                            SSDEEP:48:n8PhtuRc06WXJAjT5qkbx42pS7b7UTySIY:mht1DjTQYxrpK7UO8
                            MD5:6F486EBED02BED4E006E2A32821FD86D
                            SHA1:56AF067303F209DF70D8B10DB9A8344609EB816D
                            SHA-256:48B7C5DF9C18107A685EFF17FECA80639909CE75EEC6C77137A3C43287F5F19B
                            SHA-512:D23902D738B727AF3641E8145B652A48145DBAF2CA64FBA493DDE9C0F31A1B9B4FB8EF577BC6C6A62953A03F47A24E15542EE556D272504817DA1FEF35A58525
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):455581
                            Entropy (8bit):5.381739607415563
                            Encrypted:false
                            SSDEEP:3072:CpI1rhwukl2UFY+ikDR9KjVWHq+BqLBOhajc9ijF2JtsxcBS1J3BM0Aa+iVbwebL:DKboSBk
                            MD5:ED9C7C23D0676DC56812AFBC3470F10B
                            SHA1:454706E70AA4139EAF5F1B75449962B1C0CCCE21
                            SHA-256:162B81950682F403A000E745712EE07536581D00FA6186E9E96D19D5C177F1DE
                            SHA-512:5B806FCD53D194EA032AF0CD0B46B5CB521E3F4C1EED0B0CADC66FDDDE0F474436670909FC2B7D86DA53A0387CEC5A8C80A4CB21B74C1CDA277C24CD7F969461
                            Malicious:false
                            Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..05/07/2022 07:40:26.485 [3724]: Command line: D:\wd\compilerTemp\BMT.ijbjbjy2.cay\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..05/07/2022 07:40:26.516 [3724]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..05/07/2022 07:40:26.547 [3724]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..05/07/2022 07:40:26.547 [3724]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..05/07/2022 07:40:26.547 [

                            C:\Windows\System32\NWEAgent.exe

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):9096888
                            Entropy (8bit):6.574234976279403
                            Encrypted:false
                            SSDEEP:98304:p+fHltaooo0Eev/NnN+nleW39gWh7vKJyyHD:pUltaooDZN+nlNNgAayyj
                            MD5:02E51CF4B7B7ADA651F41B482C83E0A2
                            SHA1:EABA9CA22D550767494280EEE387D7F882211521
                            SHA-256:9B4CEB1B598A4026A5B140A8E8ECEDA8442AAD690AB1B0819F26D9CD955E3433
                            SHA-512:10A96AB8812B250DA41A661EDEB55FDFCBE6F4ACBBA18AD1AFECF460DBABDB104A9F301918FE675350942774122EEE3980B9284C2D4B1FE5C525E10ECD13E118
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$........, S.MN..MN..MN..5M..MN..5K.RMN..1...MN..1K..MN..1J..MN..1M..MN.=8J..NN..MN..MN.F1J..MN.98J..MN.98K..MN.A1F..MN..5J..MN..5H..MN..5O..MN..MO..ON.A1J..MN.A1K..MN.A1N..MN.A1...MN..M...MN.A1L..MN.Rich.MN.........................PE..d...*..f.........."...."..[...A.....|.V........@...................................m.....`...........................................q.......q.........0....P..8........(... ......prk.8....................sk.(...0qk.@............0[..............................text.....[.......[................. ..`.rdata..0....0[.......[.............@..@.data...p@&...r..P....q.............@....pdata..8....P......................@..@_RDATA..\..........................@..@.rsrc...0..........................@..@.reloc....... .....................@..B........................................................................................................

                            C:\Windows\System32\drivers\NWEDriver.sys

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):270080
                            Entropy (8bit):6.431079341593855
                            Encrypted:false
                            SSDEEP:3072:TBoiBM0gGn4PXREzzDcR43AaU2lIfPOmNOIxi7s7R3OC3wAGiLs7M8RvMM//n/ed:TBo5G4vaDZi2Ov3xwiQVMM/ejk+H3
                            MD5:04F821EFCE4466E85AA3DFEDEFE03B7E
                            SHA1:C51F5536C85D462A2780E2992F9E1F7C0CB3E98D
                            SHA-256:6749454E56F9BB9AD262AC1A51E50515CCEBA3ABBADF379B381730EFFDB62688
                            SHA-512:8757F9F6251091326BEAC5008183F30326E4FC86DEEE35F9F864BF158191505D63CAA95B3309693B501C15DAAE6D5D3192E0907543D2A66F09F820A1450C2580
                            Malicious:false
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#3g.B]4.B]4.B]4.:.4.B]4.:.4.B]4.B]4.B]4.:^5.B]4.:Y5.B]4.:\5.B]4.B\4.B]4.>Y5.B]4.>.4.B]4.>_5.B]4Rich.B]4........................PE..d....f.........."....".6........... .........@.............................p......{......A................................................. ..P....P.......... %.......O...`..<....F..8............................E..@............0..x............................sili0...!.......".................. ..h.text........@.......&.............. ..hENCRYPTE..... ...................... ..h.rdata..`M...0...N..................@..H.data...H@...........^..............@....pdata.. %.......&...t..............@..H.sili3..............................@..h.sili1..<........................... ..bINIT.... .... ...................... ..b.sili2.......@......................@....rsrc........P......................@..B.reloc..<....`......................@..B

                            C:\Windows\System32\drivers\NWEDriver24062.sys

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:PE32+ executable (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):270080
                            Entropy (8bit):6.431079341593855
                            Encrypted:false
                            SSDEEP:3072:TBoiBM0gGn4PXREzzDcR43AaU2lIfPOmNOIxi7s7R3OC3wAGiLs7M8RvMM//n/ed:TBo5G4vaDZi2Ov3xwiQVMM/ejk+H3
                            MD5:04F821EFCE4466E85AA3DFEDEFE03B7E
                            SHA1:C51F5536C85D462A2780E2992F9E1F7C0CB3E98D
                            SHA-256:6749454E56F9BB9AD262AC1A51E50515CCEBA3ABBADF379B381730EFFDB62688
                            SHA-512:8757F9F6251091326BEAC5008183F30326E4FC86DEEE35F9F864BF158191505D63CAA95B3309693B501C15DAAE6D5D3192E0907543D2A66F09F820A1450C2580
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 0%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#3g.B]4.B]4.B]4.:.4.B]4.:.4.B]4.B]4.B]4.:^5.B]4.:Y5.B]4.:\5.B]4.B\4.B]4.>Y5.B]4.>.4.B]4.>_5.B]4Rich.B]4........................PE..d....f.........."....".6........... .........@.............................p......{......A................................................. ..P....P.......... %.......O...`..<....F..8............................E..@............0..x............................sili0...!.......".................. ..h.text........@.......&.............. ..hENCRYPTE..... ...................... ..h.rdata..`M...0...N..................@..H.data...H@...........^..............@....pdata.. %.......&...t..............@..H.sili3..............................@..h.sili1..<........................... ..bINIT.... .... ...................... ..b.sili2.......@......................@....rsrc........P......................@..B.reloc..<....`......................@..B

                            C:\Windows\SystemTemp\~DF02347EA9BD5F8DC0.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):69632
                            Entropy (8bit):0.10212830974676694
                            Encrypted:false
                            SSDEEP:24:cIVM5ipVm42+sipVJVJWpGTFFkjyIkd+GWk:rM5Sc42pS7b7UT0Ek
                            MD5:799E41A5BFD4B174DF7F09C706F3F332
                            SHA1:E44E461AA200EB3C662121D9736E583346E0A42D
                            SHA-256:61A7DA915F4CF2DF278D8A589575D63C625BDBED5E1FC799FB89A91981894AFC
                            SHA-512:8B406D9706A666ACF8F6676AC6A94A5067103DF2868A06973399BAFEF31E3A81450BA653889B8C0AC24DE65114C4E5083A2296BBC79957D6246A9EECFAAB5071
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\SystemTemp\~DF0F203079CC4410A7.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):1.4624231405487187
                            Encrypted:false
                            SSDEEP:48:n8PhtuRc06WXJAjT5qkbx42pS7b7UTySIY:mht1DjTQYxrpK7UO8
                            MD5:6F486EBED02BED4E006E2A32821FD86D
                            SHA1:56AF067303F209DF70D8B10DB9A8344609EB816D
                            SHA-256:48B7C5DF9C18107A685EFF17FECA80639909CE75EEC6C77137A3C43287F5F19B
                            SHA-512:D23902D738B727AF3641E8145B652A48145DBAF2CA64FBA493DDE9C0F31A1B9B4FB8EF577BC6C6A62953A03F47A24E15542EE556D272504817DA1FEF35A58525
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\SystemTemp\~DF86DC411C7B2D1A82.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):0.07077591823422016
                            Encrypted:false
                            SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKONf3FGWE6dkhiVky6l7:2F0i8n0itFzDHFNfTdO7
                            MD5:7637DF2E38AB3CE1C21B92A335B7E624
                            SHA1:AB5ECEF37160C7335F07677D018CC7AD4A27992F
                            SHA-256:DD42E9204382C58A5479E7D3DF68A4080B8B09B7CFFF6AFAE2D928BF8CDC5583
                            SHA-512:F076E3512C43974253FC065F749C7685114470312A8304A748F77DE7D11204C76F6706255C7029825930820A6D2D3E60C6A9E536D07D5A8F336C1CDA9E636CC1
                            Malicious:false
                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\SystemTemp\~DF9BD17025B7F4D26F.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF056A1E35F21018FD.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF27DA2DE6162660D8.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):1.1789594433602355
                            Encrypted:false
                            SSDEEP:48:ZeVulTJveFXJjT5kkbx42pS7b7UTySIY:MVtLTGYxrpK7UO8
                            MD5:A805B9A47F4D545E6F8D5D6673992906
                            SHA1:78751E3D53CA32F9A2EDD1AD25D689B0D3D5610B
                            SHA-256:0C047F63E54FDF6561C48AAED4A92D7B3337CBD1871F781212BDAA3A93AE58F9
                            SHA-512:81D3DD5AA0C511A2319B09BEFC0EF8DC4906C16F2D2DF3DC400AED67650A8CBEDF2BB668C5B2694A83C3407E598D9E4FCA73E60AD74085E54155A87DCF6D7B64
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF41CB85929B9EE39D.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):20480
                            Entropy (8bit):1.4624231405487187
                            Encrypted:false
                            SSDEEP:48:n8PhtuRc06WXJAjT5qkbx42pS7b7UTySIY:mht1DjTQYxrpK7UO8
                            MD5:6F486EBED02BED4E006E2A32821FD86D
                            SHA1:56AF067303F209DF70D8B10DB9A8344609EB816D
                            SHA-256:48B7C5DF9C18107A685EFF17FECA80639909CE75EEC6C77137A3C43287F5F19B
                            SHA-512:D23902D738B727AF3641E8145B652A48145DBAF2CA64FBA493DDE9C0F31A1B9B4FB8EF577BC6C6A62953A03F47A24E15542EE556D272504817DA1FEF35A58525
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF56B3A0DC6D7778B0.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF5846A057E244E5E9.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):1.1789594433602355
                            Encrypted:false
                            SSDEEP:48:ZeVulTJveFXJjT5kkbx42pS7b7UTySIY:MVtLTGYxrpK7UO8
                            MD5:A805B9A47F4D545E6F8D5D6673992906
                            SHA1:78751E3D53CA32F9A2EDD1AD25D689B0D3D5610B
                            SHA-256:0C047F63E54FDF6561C48AAED4A92D7B3337CBD1871F781212BDAA3A93AE58F9
                            SHA-512:81D3DD5AA0C511A2319B09BEFC0EF8DC4906C16F2D2DF3DC400AED67650A8CBEDF2BB668C5B2694A83C3407E598D9E4FCA73E60AD74085E54155A87DCF6D7B64
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF609F515AE3A3C01B.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DF8CEBD8AAFFF50990.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:Composite Document File V2 Document, Cannot read section info
                            Category:dropped
                            Size (bytes):32768
                            Entropy (8bit):1.1789594433602355
                            Encrypted:false
                            SSDEEP:48:ZeVulTJveFXJjT5kkbx42pS7b7UTySIY:MVtLTGYxrpK7UO8
                            MD5:A805B9A47F4D545E6F8D5D6673992906
                            SHA1:78751E3D53CA32F9A2EDD1AD25D689B0D3D5610B
                            SHA-256:0C047F63E54FDF6561C48AAED4A92D7B3337CBD1871F781212BDAA3A93AE58F9
                            SHA-512:81D3DD5AA0C511A2319B09BEFC0EF8DC4906C16F2D2DF3DC400AED67650A8CBEDF2BB668C5B2694A83C3407E598D9E4FCA73E60AD74085E54155A87DCF6D7B64
                            Malicious:false
                            Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Windows\Temp\~DFD2CE83FAFFECA68A.TMP

                            Download File
                            Process:C:\Windows\System32\msiexec.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):512
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3::
                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                            Malicious:false
                            Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.8997057413424585
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:nwe-agent-package.exe
                            File size:18'776'064 bytes
                            MD5:d779793b7e9ff50ed69c9667c5a7e353
                            SHA1:4a8369f171c3981969cbaa7976085740fe9f81e5
                            SHA256:619b771186acae11a60863c99d27a1b0896d3a4b0573ea102bbd0c87335372bb
                            SHA512:1f2d3360b16f982e99bf22c1c800868023b53cd1198dc787a6cd81a67f911269c10360f2f044aa4d4e6616ac33e46a563da60b1b5695c2e6ccac0cd9305232c2
                            SSDEEP:196608:Kt7g7zczHvpsJs+3kzjPcHOQVk2qKDHHn3QvXj/RVTER7:Kq7zIPiJs+ejPcFVkVKLHgvXjvg
                            TLSH:E117F1C9D16A44D2DC063FF998641BC3CB399E324B740058366B7D498F775EA806EEB2
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................................................................................._......._.1.......Y....._.......Rich...........

                            File Icon

                            Icon Hash:90969696969696a8

                            Static PE Info

                            General

                            Entrypoint:0x40361b
                            Entrypoint Section:.text
                            Digitally signed:true
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                            Time Stamp:0x669F975A [Tue Jul 23 11:43:22 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:6
                            OS Version Minor:0
                            File Version Major:6
                            File Version Minor:0
                            Subsystem Version Major:6
                            Subsystem Version Minor:0
                            Import Hash:4f97beee939c5f7d2061793b5187b9aa

                            Authenticode Signature

                            Signature Valid:
                            Signature Issuer:
                            Signature Validation Error:
                            Error Number:
                            Not Before, Not After
                              Subject Chain
                                Version:
                                Thumbprint MD5:
                                Thumbprint SHA-1:
                                Thumbprint SHA-256:
                                Serial:
                                Instruction
                                call 00007F39B8B104BAh
                                jmp 00007F39B8B0FF6Fh
                                push ebp
                                mov ebp, esp
                                push 00000000h
                                call dword ptr [004150A0h]
                                push dword ptr [ebp+08h]
                                call dword ptr [0041509Ch]
                                push C0000409h
                                call dword ptr [00415038h]
                                push eax
                                call dword ptr [004150A4h]
                                pop ebp
                                ret
                                push ebp
                                mov ebp, esp
                                sub esp, 00000324h
                                push 00000017h
                                call dword ptr [004150A8h]
                                test eax, eax
                                je 00007F39B8B100F7h
                                push 00000002h
                                pop ecx
                                int 29h
                                mov dword ptr [0041D9D8h], eax
                                mov dword ptr [0041D9D4h], ecx
                                mov dword ptr [0041D9D0h], edx
                                mov dword ptr [0041D9CCh], ebx
                                mov dword ptr [0041D9C8h], esi
                                mov dword ptr [0041D9C4h], edi
                                mov word ptr [0041D9F0h], ss
                                mov word ptr [0041D9E4h], cs
                                mov word ptr [0041D9C0h], ds
                                mov word ptr [0041D9BCh], es
                                mov word ptr [0041D9B8h], fs
                                mov word ptr [0041D9B4h], gs
                                pushfd
                                pop dword ptr [0041D9E8h]
                                mov eax, dword ptr [ebp+00h]
                                mov dword ptr [0041D9DCh], eax
                                mov eax, dword ptr [ebp+04h]
                                mov dword ptr [0041D9E0h], eax
                                lea eax, dword ptr [ebp+08h]
                                mov dword ptr [0041D9ECh], eax
                                mov eax, dword ptr [ebp-00000324h]
                                mov dword ptr [0041D928h], 00010001h
                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x1b8640x64.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f0000x11cb5ec.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x1d0000x28b8
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x11eb0000x10ec.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x1aa300x70.rdata
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1a9700x40.rdata
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x150000x184.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x136430x1380076492a2f676e20fb370ffb5bfed4cff2False0.5883538661858975data6.600327329707427IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x150000x71280x72001c209708ed99cbe5757da7166980039eFalse0.47245065789473684data5.184189706227616IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x1d0000x14280xa005b6924ad31b351c22e9d9ddd42ae112eFalse0.151953125data2.0424078455907404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x1f0000x11cb5ec0x11cb6007ead7dc3c71b66a55a20c20be7a325eeunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x11eb0000x10ec0x1200caa9fdc77783967890a5c7e4ea1b9667False0.7582465277777778data6.3863694732533824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_RCDATA0x1f1900x5df000Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: NWE Agent, Author: RSA Security LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install NWE Agent., Template: Arm64;1033, Create Time/Date: Mon Jul 1 00:08:48 2024, Last Saved Time/Date: Mon Jul 1 00:08:48 2024, Number of Pages: 500, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.0.3910), Security: 2, Revision Number: {D35598D8-4309-4017-898E-1AD885CC1CE7}0.9875316619873047
                                RT_RCDATA0x5fe1900x633000Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: NWE Agent, Author: RSA Security LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install NWE Agent., Template: x64;1033, Create Time/Date: Mon Jul 1 00:08:20 2024, Last Saved Time/Date: Mon Jul 1 00:08:20 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Revision Number: {B9E33C19-6A15-4785-AE6F-0B9E88A1ED01}0.9875373840332031
                                RT_RCDATA0xc311900x5a7000Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: NWE Agent, Author: RSA Security LLC, Keywords: Installer, Comments: This installer database contains the logic and data required to install NWE Agent., Template: Intel;1033, Create Time/Date: Mon Jul 1 00:07:54 2024, Last Saved Time/Date: Mon Jul 1 00:07:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2, Revision Number: {CAA73D01-7443-499F-9B69-B3688E9F95E3}0.9874420166015625
                                RT_RCDATA0x11d81900x11c10data0.2749037403740374
                                RT_VERSION0x11e9da00x3ecdata0.2848605577689243
                                RT_VERSION0x11ea18c0x1f4dataEnglishUnited States0.552
                                RT_MANIFEST0x11ea3800x26cXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (560), with CRLF line terminatorsEnglishUnited States0.5451612903225806
                                DLLImport
                                SHLWAPI.dllPathFindFileNameW, PathAppendW, PathAddBackslashW, PathRemoveFileSpecW, PathFileExistsW
                                ADVAPI32.dllRegOpenKeyExW, RegQueryValueExW
                                KERNEL32.dllGetConsoleMode, GetConsoleOutputCP, DecodePointer, LeaveCriticalSection, ExpandEnvironmentStringsW, WaitForSingleObject, CloseHandle, CreateProcessW, GetExitCodeProcess, SizeofResource, VirtualFree, GetCurrentProcess, WriteFile, VirtualAlloc, GetTempPathW, CreateFileW, GetCurrentThreadId, GetModuleHandleA, GetLastError, DeleteFileW, LoadLibraryW, LoadResource, FindResourceW, GetProcAddress, MoveFileExW, GetFileSize, GetModuleHandleW, GetSystemWindowsDirectoryW, GetTickCount, MoveFileW, IsWow64Process, CompareStringW, LocalFree, FlushFileBuffers, HeapReAlloc, HeapSize, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, SetLastError, EnterCriticalSection, WriteConsoleW, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetStringTypeW, LCMapStringW, GetProcessHeap, SetFilePointerEx
                                SHELL32.dllCommandLineToArgvW
                                DescriptionData
                                CompanyNameRSA
                                LegalCopyright 2024 RSA Security LLC., All rights reserved.
                                FileVersion12.5.0.0
                                ProductVersion12.5.0.0
                                Translation0x0409 0x04b0
                                CompanyNameRSA
                                LegalCopyright 2024 RSA Security LLC., All rights reserved.
                                FileVersion12.5.0.0
                                ProductVersion12.5.0.0
                                Translation0x0409 0x04b0

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                EnglishUnited States

                                Network Behavior

                                Download Network PCAP: filteredfull

                                TimestampSource PortDest PortSource IPDest IP
                                Apr 17, 2025 19:04:09.143704891 CEST54223444192.168.2.24192.168.73.110
                                Apr 17, 2025 19:04:14.158751011 CEST54223444192.168.2.24192.168.73.110
                                Apr 17, 2025 19:04:19.159789085 CEST54223444192.168.2.24192.168.73.110
                                Apr 17, 2025 19:04:29.161391020 CEST54224444192.168.2.24192.168.73.110

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                • File
                                • Registry
                                • Network

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:2
                                Start time:13:02:27
                                Start date:17/04/2025
                                Path:C:\Users\user\Desktop\nwe-agent-package.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\nwe-agent-package.exe"
                                Imagebase:0x370000
                                File size:18'776'064 bytes
                                MD5 hash:D779793B7E9FF50ED69C9667C5A7E353
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true
                                Show Windows behavior

                                File Activities

                                Show Windows behavior

                                Section Activities

                                Show Windows behavior

                                Registry Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:5
                                Start time:13:02:30
                                Start date:17/04/2025
                                Path:C:\Windows\SysWOW64\msiexec.exe
                                Wow64 process (32bit):true
                                Commandline:msiexec.exe /i "C:\Users\user\AppData\Local\Temp\NWE000064.msi" /l*v "C:\Users\user\AppData\Local\Temp\EMSINWEAgent.log" /qn /norestart REBOOT=ReallySuppress
                                Imagebase:0x650000
                                File size:145'408 bytes
                                MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Windows UI Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:6
                                Start time:13:02:30
                                Start date:17/04/2025
                                Path:C:\Windows\System32\msiexec.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\msiexec.exe /V
                                Imagebase:0x7ff716b10000
                                File size:176'128 bytes
                                MD5 hash:C0D3BDDE74C1EC82F75681D4D5ED44C8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false
                                Show Windows behavior

                                File Activities

                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Token Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:7
                                Start time:13:02:31
                                Start date:17/04/2025
                                Path:C:\Windows\System32\msiexec.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\MsiExec.exe -Embedding D1A53A86C19E57E245B620139E1373F7
                                Imagebase:0x7ff716b10000
                                File size:176'128 bytes
                                MD5 hash:C0D3BDDE74C1EC82F75681D4D5ED44C8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                Show Windows behavior

                                System Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:8
                                Start time:13:02:31
                                Start date:17/04/2025
                                Path:C:\Windows\SysWOW64\msiexec.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 1108A51BD73D834A7FB678C6DEF8FEAB
                                Imagebase:0x650000
                                File size:145'408 bytes
                                MD5 hash:FE653E9A818C22D7E744320F65A91C09
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true
                                Show Windows behavior

                                File Activities

                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                Show Windows behavior

                                System Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:9
                                Start time:13:02:33
                                Start date:17/04/2025
                                Path:C:\Windows\System32\msiexec.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\MsiExec.exe -Embedding B1D6E94B6C4B7F2DD31CD6178828D99A E Global\MSI0000
                                Imagebase:0x7ff716b10000
                                File size:176'128 bytes
                                MD5 hash:C0D3BDDE74C1EC82F75681D4D5ED44C8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:10
                                Start time:13:02:34
                                Start date:17/04/2025
                                Path:C:\Windows\System32\NWEAgent.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\NWEAgent.exe /runasservice
                                Imagebase:0x7ff717160000
                                File size:9'096'888 bytes
                                MD5 hash:02E51CF4B7B7ADA651F41B482C83E0A2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 0%, ReversingLabs
                                Reputation:low
                                Has exited:false
                                Show Windows behavior

                                File Activities

                                Show Windows behavior

                                Section Activities

                                Show Windows behavior

                                Registry Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Mutex Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                Show Windows behavior

                                System Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                Network Activities

                                Process Token Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:12
                                Start time:13:02:37
                                Start date:17/04/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                Imagebase:0x7ff756bc0000
                                File size:79'920 bytes
                                MD5 hash:8EC922C7A58A8701AB481B7BE9644536
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                Show Windows behavior

                                System Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:13
                                Start time:13:02:38
                                Start date:17/04/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
                                Imagebase:0x7ff756bc0000
                                File size:79'920 bytes
                                MD5 hash:8EC922C7A58A8701AB481B7BE9644536
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                Show Windows behavior

                                System Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:14
                                Start time:13:02:38
                                Start date:17/04/2025
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WFDSConMgrSvc
                                Imagebase:0x7ff756bc0000
                                File size:79'920 bytes
                                MD5 hash:8EC922C7A58A8701AB481B7BE9644536
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                Show Windows behavior

                                System Activities


                                Disassembly

                                No disassembly