Edit tour

Windows Analysis Report
LHRUnlocker Install.msi

Overview

General Information

Sample Name:	LHRUnlocker Install.msi
Analysis ID:	577501
MD5:	ca17c1bbedc959ad89f1c1dbf6b7aa32
SHA1:	d24658face1f6fd3b457d7250c9b1a630798678d
SHA256:	8fb46d2d56dd411ad10862204849abf9a4546f1ab1d40bcb6b0cac284debc055
Infos:

Detection

Score:	45
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Suspicious Script Execution From Temp Folder

Bypasses PowerShell execution policy

Sigma detected: Change PowerShell Policies to a Unsecure Level

Sigma detected: Powershell Defender Exclusion

Adds a directory exclusion to Windows Defender

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Found dropped PE file which has not been started or loaded

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 4348 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi" MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 3744 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)

msiexec.exe (PID: 4884 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

msiexec.exe (PID: 6736 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4 MD5: 12C17B5A5C2A7B97342C362CA467E9A2)

powershell.exe (PID: 7036 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue." MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ MD5: DBA3E6449E97D4E3DF64527EF7012A10)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 7036	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xbd9b:$sa2: -encodedCommand 0xbdc7:$sa2: -encodedCommand 0xc4ac:$sa2: -EncodedCommand 0xcfb6:$sa2: -EncodedCommand 0xd051:$sa2: -encodedCommand 0x11e5:$sc2: -NoProfile 0x48a3:$sc2: -NoProfile 0x684d:$sc2: -NoProfile 0x286cc:$sc2: -NoProfile 0x316ce:$sc2: -NoProfile 0x3181e:$sc2: -NoProfile 0x31c90:$sc2: -NoProfile 0x32004:$sc2: -NoProfile 0x32289:$sc2: -NoProfile 0x32607:$sc2: -NoProfile 0x3c815:$sc2: -NoProfile 0x7b6f6:$sc2: -NoProfile 0x7b846:$sc2: -NoProfile 0x7c19f:$sc2: -NoProfile 0x7c503:$sc2: -NoProfile 0x7cbcd:$sc2: -NoProfile

Sigma Signatures

System Summary

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036

Sigma detected: Change PowerShell Policies to a Unsecure Level

Source: Process started

Author: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036

Sigma detected: Powershell Defender Exclusion

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, CommandLine|base64offset|contains: *&, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7036, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\, ProcessId: 6712

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 6736, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue.", ProcessId: 7036

Source: Pipe created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132901445801825560.7036.DefaultAppDomain.powershell

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: powershell.exe, 00000014.00000002.567216756.0000000003417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png0
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000008.00000002.569706056.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569503503.0000000005321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://t2.symcb.com0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://tl.symcd.com0&
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	String found in binary or memory: http://www.winimage.com/zLibDll
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	String found in binary or memory: http://www.winimage.com/zLibDll1.2.7rbr
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	String found in binary or memory: https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester0
Source: powershell.exe, 00000008.00000003.527476361.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: 3c1a5a.msi.1.dr	String found in binary or memory: https://t.me/LHRUnlockerChannelButtonText_Finish&FinishManufacturerSergeyProductCode
Source: 3c1a5a.msi.1.dr	String found in binary or memory: https://t.me/LHRUnlockerMSIFASTINSTALLAI_CURRENT_YEAR2022ButtonText_Decline&DeclineAI_PREDEF_LCONDS_
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: https://www.advancedinstaller.com
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	String found in binary or memory: https://www.thawte.com/repository0W

Source: Process Memory Space: powershell.exe PID: 7036, type: MEMORYSTR

Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI1FD8.tmp

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\3c1a5a.msi

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00874080
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_008755B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00873168
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00870B90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_008793B8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00874BC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0087CB70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00871428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0087B6A0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_0087B6B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00887538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 20_2_035DB9B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process Stats: CPU usage > 98%

Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameviewer.exeF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameShortcutFlags.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameAICustAct.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs LHRUnlocker Install.msi
Source: LHRUnlocker Install.msi	Binary or memory string: OriginalFilenameFileOperations.dllF vs LHRUnlocker Install.msi

Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\LHRUnlocker Install.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D930A47D56309F190C9E79168CF159A8 C
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EE2A3AF825C1BBEBB4FC2081145CDAF4
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220223

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmp

Jump to behavior

Source: classification engine

Classification label: mal45.evad.winMSI@11/20@0/0

Source: C:\Windows\System32\msiexec.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: LHRUnlocker Install.msi

Static file information: TRID: Microsoft Windows Installer (77509/1) 52.18%

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1504:120:WilError_01

Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Next >
Source: C:\Windows\System32\msiexec.exe	Automated click: Install

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: LHRUnlocker Install.msi

Static file information: File size 7207424 > 1048576

Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb: source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb> source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb\ source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\ShortcutFlags.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\FileOperations.pdbj source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSI3268.tmp.1.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\SoftwareDetector.pdb` source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr, MSIF69B.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdb source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\AICustAct.pdbn source: LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF832.tmp.0.dr
Source:	Binary string: C:\JobRelease\win\Release\custact\x86\viewer.pdb source: LHRUnlocker Install.msi, 3c1a5a.msi.1.dr

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00873168 push eax; mov dword ptr [esp], edx
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00878B31 push eax; retf

Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF513.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF34C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF280.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF69B.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3268.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2874.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIEF62.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF832.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1FD8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Local\Temp\MSIF447.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3268.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2874.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1FD8.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908	Thread sleep count: 2777 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6908	Thread sleep count: 366 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5612	Thread sleep count: 39 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5736	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF513.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF34C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF280.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2874.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSIF447.tmp	Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2777
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 366

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation

Source: powershell.exe, 00000008.00000002.571424300.000000000545F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.570148293.0000000005001000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: MSIF69B.tmp.0.dr	Binary or memory string: RegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.571424300.000000000545F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.570148293.0000000005001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Cl:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."

Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss341F.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3350.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3351.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3352.txt" -propSep " :<->: " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Replication Through Removable Media	1 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	21 Masquerading	OS Credential Dumping	1 Security Software Discovery	1 Replication Through Removable Media	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 File Deletion	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LHRUnlocker Install.msi	0%	Virustotal		Browse
LHRUnlocker Install.msi	0%	Metadefender		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\MSIEF62.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIEF62.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF280.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF280.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF34C.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF34C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF447.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF447.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF513.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF513.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF69B.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF69B.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MSIF832.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\MSIF832.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png0	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr	0%	Avira URL Cloud	safe
https://go.micro	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/LHRUnlockerMSIFASTINSTALLAI_CURRENT_YEAR2022ButtonText_Decline&DeclineAI_PREDEF_LCONDS_	3c1a5a.msi.1.dr	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png0	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester0	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.thawte.com/cps0/	LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	false		high
http://schemas.xmlsoap.org/soap/encoding/	powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false		high
https://drivers.sergeydev.com/windows/511.65-desktop-win64bit-interr	LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000008.00000003.527476361.00000000057BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.thawte.com/repository0W	LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	false		high
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000014.00000002.569907486.0000000005463000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t.me/LHRUnlockerChannelButtonText_Finish&FinishManufacturerSergeyProductCode	3c1a5a.msi.1.dr	false		high
https://contoso.com/License	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000008.00000002.574716959.0000000005DB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.advancedinstaller.com	LHRUnlocker Install.msi, MSI2874.tmp.1.dr, 3c1a5a.msi.1.dr, MSIF447.tmp.0.dr, MSIF513.tmp.0.dr, MSIF280.tmp.0.dr, MSIEF62.tmp.0.dr, MSI1FD8.tmp.1.dr, MSIF34C.tmp.0.dr, MSIF69B.tmp.0.dr, MSI3268.tmp.1.dr, MSIF832.tmp.0.dr	false		high
http://www.winimage.com/zLibDll	LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0.html0	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000008.00000002.569706056.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.569503503.0000000005321000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll1.2.7rbr	LHRUnlocker Install.msi, 3c1a5a.msi.1.dr	false		high
https://github.com/Pester/Pester	powershell.exe, 00000008.00000002.569890289.0000000004E93000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	577501
Start date:	23.02.2022
Start time:	18:48:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 19s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	LHRUnlocker Install.msi
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal45.evad.winMSI@11/20@0/0
EGA Information:	Successful, ratio: 50%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.54.104.15
Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
Execution Graph export aborted for target powershell.exe, PID 7036 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
18:50:55	API Interceptor	7x Sleep call for process: powershell.exe modified

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.8968676994158
Encrypted:	false
SSDEEP:	96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
MD5:	36DE9155D6C265A1DE62A448F3B5B66E
SHA1:	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
SHA-256:	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
SHA-512:	C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	408544
Entropy (8bit):	6.410598211463919
Encrypted:	false
SSDEEP:	6144:FwznG9uw/r8fyHQMNvrPGtPu4AO9k9ZeWYhEIho7bZQ:SG9TAVMlSn30Z0EIhgbZQ
MD5:	5D25243E90673C44AC420D69676F9062
SHA1:	23234013562F7EF738DB615246D391B8E191B475
SHA-256:	0DDB820918F3918496E414617536226AF08E27A7F13E5A58444F8DCF297A65D5
SHA-512:	47BA474912D8530FC78FD2C61572A3C9E91A27B1BDFAB08869A550AE0452298B3FF63A06B607BECA9D8DF56BCCC19B9720F5E1EC59EA5F3FD0F85C9762058FB9
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0..c..c..c"..b..c"..bV.c...b..c...b..c...b..c"..b..c"..b..c"..b..c..c..cH..b..cH..b..cH.Sc..c..;c..cH..b..cRich..c........PE..L...G..a.........."!.........&............... ...............................`............@.........................@...................0............"..........\B...S..p...................@U......HT..@............ ..$............................text............................... ..`.rdata....... ......................@..@.data...............................@....rsrc...0...........................@..@.reloc..\B.......D..................@..B........................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	5784
Entropy (8bit):	3.4920621874565785
Encrypted:	false
SSDEEP:	96:5wb5jTmmywV2BVrIovmkiGjxcj6BngOcvjb:5wbdTif/njVyvb
MD5:	FC1BB6C87FD1F08B534E52546561C53C
SHA1:	DB402C5C1025CF8D3E79DF7B868FD186243AA9D1
SHA-256:	A04750ED5F05B82B90F6B8EA3748BA246AF969757A5A4B74A0E25B186ADD520B
SHA-512:	5495F4AC3C8F42394A82540449526BB8DDD91ADF0A1A852A9E1F2D32A63858B966648B4099D9947D8AC68EE43824DACDA24C337C5B97733905E36C4921280E86
Malicious:	true
Preview:	..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . . .[.s.t.r.i.n.g.]. .$.t.e.s.t.P.r.e.f.i.x..... .,.[.s.w.i.t.c.h.]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Create Time/Date: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {F58EB665-B875-433C-AEBE-8C055BEC1E2C}, Number of Words: 2, Subject: NVIDIA RTX LHR v2 unlocker, Author: Sergey, Name of Creating Application: NVIDIA RTX LHR v2 unlocker, Template: x64;2057, Comments: This installer database contains the logic and data required to install NVIDIA RTX LHR v2 unlocker., Title: Installation Database, Keywords: Installer, MSI, Database, Number of Pages: 200
Entropy (8bit):	7.562593437382455
TrID:	Microsoft Windows Installer (77509/1) 52.18% Windows SDK Setup Transform Script (63028/2) 42.43% Generic OLE2 / Multistream Compound File (8008/1) 5.39%
File name:	LHRUnlocker Install.msi
File size:	7207424
MD5:	ca17c1bbedc959ad89f1c1dbf6b7aa32
SHA1:	d24658face1f6fd3b457d7250c9b1a630798678d
SHA256:	8fb46d2d56dd411ad10862204849abf9a4546f1ab1d40bcb6b0cac284debc055
SHA512:	238f6e7b51a8d10b3828c3c9cec4e24725b8a5d4503cd5b9eff941906875057728dfd8d90da456edbb71a8fa8f68e60042961ee2af56c0bc68f31f64fd066f6b
SSDEEP:	196608:7+XqI6tGPI9Wo7x4dC29R/LcgZxVHh5J:7+aI6tGPI0k4YaB
File Content Preview:	........................>...................n.......................W...........I.......e.......6...7...8...9...:...;...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...,...-......./...c...d...e...f...g...h...i......................................

Has Summary Info:	True
Application Name:	NVIDIA RTX LHR v2 unlocker
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Code Page:	1252
Title:	Installation Database
Subject:	NVIDIA RTX LHR v2 unlocker
Author:	Sergey
Keywords:	Installer, MSI, Database
Comments:	This installer database contains the logic and data required to install NVIDIA RTX LHR v2 unlocker.
Template:	x64;2057
Last Saved By:
Revion Number:	{F58EB665-B875-433C-AEBE-8C055BEC1E2C}
Last Printed:	2009-12-11 11:47:44.850000
Create Time:	2009-12-11 11:47:44.850000
Last Saved Time:	2020-09-18 14:06:51.913000
Number of Pages:	200
Number of Words:	2
Creating Application:	NVIDIA RTX LHR v2 unlocker
Security:	0

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	596
Entropy:	4.74586135252
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . $ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . X . . . . . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . # . . W z . . @ . . . # . . W z . . @ . . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . ' . . . { F 5 8 E B 6 6 5 - B 8
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 24 02 00 00 10 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 01 00 00 00 b4 00 00 00 09 00 00 00 bc 00 00 00 0f 00 00 00 ec 00 00 00 03 00 00 00 f4 00 00 00 04 00 00 00 18 01 00 00

General
Stream Path:	\x16786\x17522\x15550\x15884\x18327\x18152\x18472
File Type:	MS Windows icon resource - 4 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
Stream Size:	22257
Entropy:	4.03626304959
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . h . . . F . . . . . . . . ( . . . . . . . 0 0 . . . . . h & . . . . . . . . . . . . . . . . . > < . . ( . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 04 00 10 10 00 00 01 00 20 00 68 04 00 00 46 00 00 00 20 20 00 00 01 00 20 00 28 11 00 00 ae 04 00 00 30 30 00 00 01 00 20 00 68 26 00 00 d6 15 00 00 00 00 00 00 01 00 20 00 b3 1a 00 00 3e 3c 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 20 00 00 00 00 00 40 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x15358\x17388\x15912\x16947\x16693\x17207\x17522\x18358\x17383\x18479
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	407008
Entropy:	6.5620566215
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . . G . O . . . O . . . O . . . = . . . O . . . = . . l O . . . = . . . O . . . : . . . O . . . : . . . O . . . : . . . O . . b : . . . O . . b : . . . O . . . = . . . O . . . O . . . N . . b : . . . O . . b : . . . O . . b : S . . O . . . O ; . . O . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x15870\x18088
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.03444158006
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x15998\x18098\x17768\x17116\x17384\x16175\x17766\x17644\x15735\x17956\x16817\x16939\x18357\x17383\x18479
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	589280
Entropy:	6.56720964314
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . ; . . . Z . J . Z . J . Z . J ~ ( . K . Z . J ~ ( . K . Z . J ~ ( . K . Z . J . / . K . Z . J . / . K . Z . J . . ! J . Z . J . / . K . Z . J ~ ( . K . Z . J . Z . J . [ . J . / . K . Z . J . / . K . Z . J . / # J . Z . J . Z K J . Z . J . / . K . Z . J
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16190\x17010\x18103\x17764\x15208\x17896\x16808\x17591\x18357\x17383\x18479
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	895968
Entropy:	6.44996656139
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . X . Z . . . 4 P . . 4 P . . 4 P . . 7 Q . . 4 P . . 1 Q . . 4 P N . 0 Q . . 4 P N . 7 Q . . 4 P N . 1 Q N . 4 P . . 0 Q . . 4 P . . 5 Q . . 4 P . . 5 P 1 . 4 P . . = Q , . 4 P . . 4 Q . . 4 P . . . P . . 4 P . . . P . . 4 P . . 6 Q . . 4 P R i c h . . 4 P
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16190\x17579\x17909\x17958\x15351\x16687\x17834\x16894\x17391
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	288224
Entropy:	6.58114708933
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . u S D A . . D A . . D A . . . 3 . . I A . . . 3 . . . A . . . 4 . . U A . . . 4 . . R A . . . 4 . . . A . . . 3 . . ] A . . . 3 . . E A . . . 3 . . U A . . D A . . . A . . . 4 . . _ A . . . 4 . . E A . . . 4 . . E A . . D A . . E A . . . 4 . . E A . .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16318\x18483
File Type:	MS Windows icon resource - 1 icon, 16x16, 16 colors
Stream Size:	318
Entropy:	2.03693614652
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	00 00 01 00 01 00 10 10 10 00 00 00 00 00 28 01 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00 00 00 ff 00 ff 00 ff ff 00 00 ff ff ff 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16702\x16812\x17848\x16695\x17894\x16894\x17391
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Stream Size:	408544
Entropy:	6.41059821146
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . . . 0 . . . c . . . c . . . c " . . b . . . c " . . b V . . c . . . b . . . c . . . b . . . c . . . b . . . c " . . b . . . c " . . b . . . c " . . b . . . c . . . c . . . c H . . b . . . c H . . b . . . c H . S c . . . c . . ; c . . . c H . . b . . . c
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x17163\x16689\x18229\x16766\x17508\x16945\x18357\x16822\x17380\x14440\x14341\x17278\x17075
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 938x111, frames 3
Stream Size:	9319
Entropy:	7.35217207818
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

General
Stream Path:	\x17163\x16689\x18229\x16830\x16880\x17199\x17329\x17764\x17589\x18490
File Type:	MS Windows icon resource - 3 icons, 16x16, 16 colors, 4 bits/pixel, 16x16, 8 bits/pixel
Stream Size:	2862
Entropy:	3.16043065194
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . ( . . . 6 . . . . . . . . . . . h . . . ^ . . . . . . . . . . h . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w v . . . . . " " " " " o . . " " " " " o . . w w w " " . . . . . . " / . . . .
Data Raw:	00 00 01 00 03 00 10 10 10 00 00 00 04 00 28 01 00 00 36 00 00 00 10 10 00 00 00 00 08 00 68 05 00 00 5e 01 00 00 10 10 00 00 00 00 20 00 68 04 00 00 c6 06 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0

General
Stream Path:	\x17163\x16689\x18229\x16830\x17458\x17395\x17896\x18476
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.35906224297
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . . . . . { . w . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

General
Stream Path:	\x17163\x16689\x18229\x16830\x17848\x17207\x17574\x18481
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.29856879699
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . . . . . { . w . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

General
Stream Path:	\x17163\x16689\x18229\x16894\x16684\x17583\x18346\x16822\x17380\x14440\x14341\x17278\x17075
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 938x593, frames 3
Stream Size:	27770
Entropy:	7.06368048149
Base64 Encoded:	True
Data ASCII:	. . . . . . J F I F . . . . . . . . . . . . . . D u c k y . . . . . . . < . . . . . } h t t p : / / n s . a d o b e . c o m / x a p / 1 . 0 / . < ? x p a c k e t b e g i n = " . . . " i d = " W 5 M 0 M p C e h i H z r e S z N T c z k c 9 d " ? > < x : x m p m e t a x m l n s : x = " a d o b e : n s : m e t a / " x : x m p t k = " A d o b e X M P C o r e 6 . 0 - c 0 0 6 7 9 . d a b a c b b , 2 0 2 1 / 0 4 / 1 4 - 0 0 : 3 9 : 4 4 " > < r d f : R D F x m l n s : r d f =
Data Raw:	ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff ec 00 11 44 75 63 6b 79 00 01 00 04 00 00 00 3c 00 00 ff e1 03 7d 68 74 74 70 3a 2f 2f 6e 73 2e 61 64 6f 62 65 2e 63 6f 6d 2f 78 61 70 2f 31 2e 30 2f 00 3c 3f 78 70 61 63 6b 65 74 20 62 65 67 69 6e 3d 22 ef bb bf 22 20 69 64 3d 22 57 35 4d 30 4d 70 43 65 68 69 48 7a 72 65 53 7a 4e 54 63 7a 6b 63 39 64 22 3f 3e 20 3c 78

General
Stream Path:	\x17163\x16689\x18229\x16958\x16827\x16687\x17200\x18470
File Type:	MS Windows icon resource - 1 icon, 32x32, 16 colors
Stream Size:	766
Entropy:	3.3484862649
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 1 . . . . . . . . . . . . 3 3 2 3 3 3 3 3 3 3 3 3 3 3 3 . 3 3 $ D D D D D D D D D D D @ 1 . 2 D D D D D D D D D D D D D . . 2 D D D D D D @ D D D D D D C . 2 D D D D D D 3 4 D D D D D C . 2 D D D D D @ 3 0 D D D D D . . 3 $ D D D D D 3 4 D D D D D 1 . 3 $
Data Raw:	00 00 01 00 01 00 20 20 10 00 00 00 00 00 e8 02 00 00 16 00 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 c0 c0 00 80 80 80 00 00 80 80 00 00 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 33

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LHRUnlocker Install.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\MSIEF62.tmp

C:\Users\user\AppData\Local\Temp\MSIF280.tmp

C:\Users\user\AppData\Local\Temp\MSIF34C.tmp

C:\Users\user\AppData\Local\Temp\MSIF447.tmp

C:\Users\user\AppData\Local\Temp\MSIF513.tmp

C:\Users\user\AppData\Local\Temp\MSIF69B.tmp

C:\Users\user\AppData\Local\Temp\MSIF832.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xdfaoyo.lnf.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i2ddoyuu.1tk.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lf5no10l.5dz.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xhr5i13g.js1.psm1

C:\Users\user\AppData\Local\Temp\pss341F.ps1

C:\Users\user\AppData\Local\Temp\scr3351.ps1

C:\Users\user\Documents\20220223\PowerShell_transcript.878411.jRMym6xB.20220223184945.txt

C:\Windows\Installer\3c1a5a.msi

C:\Windows\Installer\MSI1FD8.tmp

C:\Windows\Installer\MSI2874.tmp

C:\Windows\Installer\MSI3268.tmp

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Static File Info

General

File Icon

Static OLE Info

Windows Analysis Report
LHRUnlocker Install.msi

General
Stream Path:	\x17163\x16689\x18229\x17214\x17009\x18482
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 16x16, 16 colors
Stream Size:	1078
Entropy:	2.86422695486
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . ( . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . w p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . p . . . . . . . . . . w w . . . w w . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 10 10 10 00 00 00 00 00 28 01 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 80 80 80 00 c0 c0 c0 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

General
Stream Path:	\x17163\x16689\x18229\x17214\x17841\x17207\x17574\x18481
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.40653521205
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . w . . . . . . . . . . p . . x . . . . w . . . . . . . . x . . . w . . w . . . . . . . p . . x x . . w ~ . . . . . . . . x . . . . . ~ . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

General
Stream Path:	\x17163\x16689\x18229\x17790\x17448\x18034\x16812\x18482
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.92283562852
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . w w . . . . . . . . . . . . w . f . w . . . . . . w . . . . . v v f . w . . . . . . . . . . . n f f l . w . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

General
Stream Path:	\x17163\x16689\x18229\x17790\x17640\x17188\x17205\x18470
File Type:	MS Windows icon resource - 2 icons, 32x32, 16 colors, 32x32
Stream Size:	2998
Entropy:	4.6676615263
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . & . . . . . . . . . . . . . . . . . ( . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . . . . . . p . . . . . . . . . . x . { . w p . . . . . . . . ( . . . { . w . . . . . . . . . ( x x x . . . . . . . . . . .
Data Raw:	00 00 01 00 02 00 20 20 10 00 00 00 00 00 e8 02 00 00 26 00 00 00 20 20 00 00 00 00 00 00 a8 08 00 00 0e 03 00 00 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80 00 00 c0 c0 c0 00 80 80 80 00 00 00 ff 00 00 ff 00 00 00 ff ff 00 ff 00

General
Stream Path:	\x17163\x16689\x18229\x17918\x16740\x16677\x17318
File Type:	PC bitmap, Windows 3.x format, 1 x 200 x 24
Stream Size:	854
Entropy:	3.80253159876
Base64 Encoded:	False
Data ASCII:	B M V . . . . . . . 6 . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	42 4d 56 03 00 00 00 00 00 00 36 00 00 00 28 00 00 00 01 00 00 00 c8 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ee f3 f4 00 ef f3 f4 00 ef f3 f4 00 ef f3 f4 00 ef f4 f4 00 ef f4 f4 00 ef f4 f5 00 ef f4 f5 00 ef f4 f5 00 ef f4

General
Stream Path:	\x17163\x16689\x18229\x18046\x16940\x16954\x18357\x18152\x18472
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Stream Size:	399328
Entropy:	6.5891658431
Base64 Encoded:	True
Data ASCII:	M Z . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . L . ! T h i s p r o g r a m c a n n o t b e r u n i n D O S m o d e . . . . $ . . . . . . . . M . . , N . . , N . . , N . B ^ M . . , N . B ^ K . = , N . . Y J . . , N . . Y M . . , N . . Y K . . , N . B ^ J . . , N . B ^ H . . , N . B ^ O . . , N . . , O . . , N . ( Y G . . , N . ( Y . . . , N . . , . . . , N . ( Y L . . , N . R i c h . , N .
Data Raw:	4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00

General
Stream Path:	\x17191\x17334\x18305\x16678\x18469
File Type:	Microsoft Cabinet archive data, 3753879 bytes, 4 files
Stream Size:	3753879
Entropy:	7.997971703
Base64 Encoded:	True
Data ASCII:	M S C F . . . . . G 9 . . . . . , . . . . . . . . . . . . . . . . . . . . . . . H . . . . & > . . . . . . . . R . C . c o r e l i b . d l l . . . . . . & > . . . . R . C . M o n o H e l p e r . d l l . . . ) . . . J . . . . R . C . S y s t e m . d l l . . . / . . . t . . . . R . C . S y s t e m . X m l . d l l . . . . . N 9 . . C K . : . t . . u . o f . . . . J Z . 4 . . - . . . y < . Z . V . . . - . . m . . . . . . q . . . . . ^ . k . . e . 1 . 4 . . . . 6 M . . . . . . i h O . ` . . . ` . . . q
Data Raw:	4d 53 43 46 00 00 00 00 97 47 39 00 00 00 00 00 2c 00 00 00 00 00 00 00 03 01 01 00 04 00 00 00 d2 04 00 00 a1 00 00 00 48 01 01 00 00 26 3e 00 00 00 00 00 00 00 b2 52 c3 43 20 00 63 6f 72 65 6c 69 62 2e 64 6c 6c 00 00 e8 0b 00 00 26 3e 00 00 00 b2 52 a4 43 20 00 4d 6f 6e 6f 48 65 6c 70 65 72 2e 64 6c 6c 00 00 fa 29 00 00 0e 4a 00 00 00 b2 52 a4 43 20 00 53 79 73 74 65 6d 2e 64 6c

General
Stream Path:	\x18496\x15167\x17394\x17464\x17841
File Type:	data
Stream Size:	1424
Entropy:	4.90033147389
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . + . + . + . + . + . + . + . + . + . 5 . 5 . 5 . 9 . 9 . 9 . > . > . > . > . > . A . A . A . A . A . A . O . O . O . O . O . O . O . Q . Q . Q . V . V . V . V . V . V . V . V . V . X . X . Z . Z . \\ . \\ . \\ . ] . ] . ] . ^ . ^ . ^ . ^ . a . a . a . b . b . b . b . b . b . d . d . d . f . f . f . f . f . f . f . f . f . f . f . f . i . i . i . i . i . i . i . i . k . k . k . k . k . k . p . p . p . p . r . r . r . r . t . t . t . t . t . t .
Data Raw:	04 00 04 00 04 00 04 00 04 00 04 00 07 00 07 00 07 00 11 00 11 00 11 00 1b 00 1b 00 20 00 20 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 2b 00 35 00 35 00 35 00 39 00 39 00 39 00 3e 00 3e 00 3e 00 3e 00 3e 00 41 00 41 00 41 00 41 00 41 00 41 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 4f 00 51 00 51 00 51 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 56 00 58 00 58 00

General
Stream Path:	\x18496\x15498\x15359\x17388\x15208\x18098\x17393\x16690\x18471
File Type:	data
Stream Size:	12
Entropy:	2.61749246118
Base64 Encoded:	False
Data ASCII:	M . N . O . P . Q . . .
Data Raw:	4d 01 4e 01 4f 01 50 01 51 01 11 80

General
Stream Path:	\x18496\x15518\x16925\x17915
File Type:	data
Stream Size:	444
Entropy:	5.30938688259
Base64 Encoded:	False
Data ASCII:	D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . $ . & . ( . * . , . . . 0 . 2 . 3 . 5 . 7 . 9 . ; . = . ? . A . C . D . F . H . I . K . M . O . Q . R . S . U . W . Y . [ . ] . _ . ` . a . c . e . g . i . k . m . o . q . s . u . w . y . { . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . .
Data Raw:	44 01 d2 06 d4 06 d5 06 d7 06 d9 06 db 06 dc 06 de 06 df 06 e0 06 e2 06 e3 06 e5 06 e7 06 e8 06 ea 06 ec 06 ee 06 f0 06 f2 06 f4 06 f5 06 f7 06 f9 06 fb 06 fd 06 ff 06 01 07 03 07 05 07 07 07 09 07 0a 07 0c 07 0e 07 10 07 12 07 14 07 16 07 18 07 1a 07 1c 07 1e 07 20 07 22 07 24 07 26 07 28 07 2a 07 2c 07 2e 07 30 07 32 07 33 07 35 07 37 07 39 07 3b 07 3d 07 3f 07 41 07 43 07 44 07