Windows Analysis Report
Br_i421i2-2481-125_754864.msi

Overview

General Information

Sample name: Br_i421i2-2481-125_754864.msi
Analysis ID: 1447349
MD5: dc2ff54f9664f90f09004b367fbdca10
SHA1: e0dd52a75514bae7e68396e953eab1a62e567aa5
SHA256: 0cc32738dd2dbf5d0c128a9029783b6daa691c999683feae8b9caa4c0805eaad
Tags: msi
Infos:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Yara detected MalDoc
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Writes many files with high entropy
Checks for available system drives (often done to infect USB drives)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdb source: vcomp140_app.dll.1.dr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Br_i421i2-2481-125_754864.msi, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: Br_i421i2-2481-125_754864.msi, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr
Source: Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\msvcp140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WebExperienceHostApp.pdb&& source: WebExperienceHostApp.exe, 00000008.00000000.2006121013.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source: Binary string: WebExperienceHostApp.pdb source: WebExperienceHostApp.exe, 00000008.00000000.2006121013.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source: Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcruntime140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: mrt100_app.pdb source: mrt100_app.dll.1.dr
Source: Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdbGCTL source: vcomp140_app.dll.1.dr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\vulkan-1.dll.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: B.pdb source: external_extensions_0000x.57.8.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Br_i421i2-2481-125_754864.msi, 4b3b27.msi.1.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\WerFault.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007AA230 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn, 8_2_00007FFE007AA230

Networking
barindex
Yara detected MalDoc
Source: Yara match File source: Br_i421i2-2481-125_754864.msi, type: SAMPLE
Source: Yara match File source: C:\Windows\Installer\4b3b27.msi, type: DROPPED
Source: powershell.exe, 00000003.00000002.2007551719.00000000049C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://blob.cpq22prdstr01a.store.core.windows.net
Source: powershell.exe, 00000003.00000002.2007551719.00000000049C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bost.blob.core.windows.net
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000003.00000002.2011514359.0000000006B30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microQ
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdf
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DE3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/03
Source: WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: powershell.exe, 00000003.00000002.2007551719.00000000045B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc1321
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://tools.ietf.org/html/rfc4648
Source: powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: xmpp.dll.1.dr String found in binary or memory: http://www.apachefriends.org/f/viewforum.php?f=16
Source: xmpp.dll.1.dr String found in binary or memory: http://www.apachefriends.org/f/viewforum.php?f=4
Source: WebExperienceHostApp.exe, 00000008.00000002.2062560294.0000000065F52000.00000020.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr String found in binary or memory: http://www.borland.com/namespaces/Types
Source: WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DE3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types03
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf
Source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF492510000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924DD000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CC0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.ietf.org/rfc/rfc3447.txt
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.itl.nist.gov/fipspubs/fip180-1.htm
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.movable-type.co.uk/scripts/xxtea.pdf
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.schneier.com/paper-blowfish-fse.html
Source: chrome.exe, 00000009.00000002.2297957579.0000000063152000.00000020.00000001.01000000.0000000B.sdmp String found in binary or memory: http://www.schneier.com/paper-twofish-paper.pdf
Source: WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9CFB000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073107385.000001CDA9DBF000.00000004.00001000.00020000.00000000.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr String found in binary or memory: https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br
Source: WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr String found in binary or memory: https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.brFMX_STYLE
Source: powershell.exe, 00000003.00000002.2007551719.00000000045B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000003.00000002.2007551719.000000000490E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bost.blo
Source: powershell.exe, 00000003.00000002.2007551719.000000000490E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bost.blo(f
Source: Br_i421i2-2481-125_754864.msi String found in binary or memory: https://bost.blob.core.wi
Source: powershell.exe, 00000003.00000002.2007551719.0000000004951000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bost.blob.core.windows.net
Source: powershell.exe, 00000003.00000002.2007551719.000000000490E000.00000004.00000800.00020000.00000000.sdmp, scr43E3.ps1.2.dr, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr String found in binary or memory: https://bost.blob.core.windows.net/2205tomps/bastaodorei.mlk
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://crashpad.chromium.org/
Source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: powershell.exe, 00000003.00000002.2007551719.0000000004706000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2007551719.0000000004DDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: WebExperienceHostApp.exe, 00000008.00000002.2070683951.000000006626A000.00000002.00000001.01000000.00000009.sdmp, vcruntime140_1_app.dll.1.dr String found in binary or memory: https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal
Source: powershell.exe, 00000003.00000002.2010502679.000000000561E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\appData\24052024.zip entropy: 7.99872022431 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.30 entropy: 7.99752780953 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.31 entropy: 7.99330413873 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.32 entropy: 7.9982834495 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.33 entropy: 7.99517225944 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.34 entropy: 7.99824305433 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.35 entropy: 7.99790959486 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.36 entropy: 7.99754718991 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.37 entropy: 7.99770998551 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.38 entropy: 7.99715340846 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.39 entropy: 7.99776227345 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.4 entropy: 7.99046230266 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.40 entropy: 7.99399133173 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.41 entropy: 7.99713861921 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.42 entropy: 7.99667055392 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.43 entropy: 7.99414348537 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.44 entropy: 7.99781831277 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.45 entropy: 7.99405865581 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.46 entropy: 7.99772013622 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.47 entropy: 7.99779597898 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.48 entropy: 7.99276827367 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.49 entropy: 7.99797758594 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.5 entropy: 7.99823961145 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50 entropy: 7.99448796462 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.51 entropy: 7.99703199099 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.52 entropy: 7.99497283467 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.53 entropy: 7.99807423749 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.54 entropy: 7.99531409722 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.55 entropy: 7.99674971497 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.56 entropy: 7.99474871603 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.57 entropy: 7.9982840934 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.58 entropy: 7.99246215184 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.59 entropy: 7.99409874979 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.6 entropy: 7.99845761566 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.60 entropy: 7.99738800393 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.61 entropy: 7.99460856626 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.62 entropy: 7.99798601902 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.63 entropy: 7.99432159953 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.64 entropy: 7.99815865014 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.65 entropy: 7.99622567341 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.66 entropy: 7.9951105294 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.67 entropy: 7.9974883893 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.68 entropy: 7.99846732736 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.69 entropy: 7.99701507902 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.7 entropy: 7.99791398394 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.70 entropy: 7.99460045101 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.71 entropy: 7.99805655456 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.72 entropy: 7.99528518128 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.73 entropy: 7.99752214025 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.74 entropy: 7.9979940302 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.75 entropy: 7.99403941576 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.1 entropy: 7.99832754142 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.10 entropy: 7.99805977047 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.100 entropy: 7.99814455019 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.101 entropy: 7.99805920411 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.102 entropy: 7.99398437537 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.103 entropy: 7.9969613831 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.104 entropy: 7.99837165529 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.105 entropy: 7.99490534733 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.76 entropy: 7.99805834668 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.77 entropy: 7.99594269497 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.78 entropy: 7.99832335849 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.79 entropy: 7.99474667993 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.8 entropy: 7.99833024695 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.80 entropy: 7.99725858533 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.81 entropy: 7.99805459791 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.82 entropy: 7.99401136409 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.83 entropy: 7.99790203419 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.84 entropy: 7.99456452064 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.106 entropy: 7.99816744472 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.107 entropy: 7.99516845459 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.109 entropy: 7.99829884537 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.11 entropy: 7.99404648214 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.110 entropy: 7.99610810388 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.111 entropy: 7.99867490099 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.112 entropy: 7.99779818478 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.113 entropy: 7.99791560708 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.114 entropy: 7.99420401473 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.85 entropy: 7.99905143323 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.86 entropy: 7.997904103 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.87 entropy: 7.99772075385 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.88 entropy: 7.99299422459 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.89 entropy: 7.99836997664 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.9 entropy: 7.99812769595 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.90 entropy: 7.993925773 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.91 entropy: 7.99668825058 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.92 entropy: 7.9981015402 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.93 entropy: 7.99479992523 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.115 entropy: 7.9976080306 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.116 entropy: 7.9941388261 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.117 entropy: 7.99835871385 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.118 entropy: 7.99471154974 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.119 entropy: 7.99780940325 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.12 entropy: 7.99573288862 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.120 entropy: 7.99419790942 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.121 entropy: 7.99820009329 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.122 entropy: 7.9935670475 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.123 entropy: 7.99877373818 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.94 entropy: 7.99806786473 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.95 entropy: 7.99503182523 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.96 entropy: 7.99820951674 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.97 entropy: 7.99366192441 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.98 entropy: 7.99841208592 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.99 entropy: 7.99474767769 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.124 entropy: 7.99782036754 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.125 entropy: 7.99790353721 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.126 entropy: 7.99795396183 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.127 entropy: 7.99819061954 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.128 entropy: 7.99578707328 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.129 entropy: 7.99767920118 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.13 entropy: 7.99555057257 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.130 entropy: 7.99448073439 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.131 entropy: 7.99785714597 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.132 entropy: 7.99495719328 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.133 entropy: 7.99787043835 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.134 entropy: 7.99409008648 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14 entropy: 7.99685420083 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.15 entropy: 7.99814258165 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.16 entropy: 7.99514210593 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.17 entropy: 7.99802992616 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.18 entropy: 7.99426880008 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.19 entropy: 7.99804200099 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.2 entropy: 7.99839321454 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.20 entropy: 7.99482421893 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.21 entropy: 7.99819014746 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.22 entropy: 7.99506507103 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.23 entropy: 7.99805207356 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.24 entropy: 7.99355397795 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.25 entropy: 7.99713455209 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.26 entropy: 7.9975483379 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.27 entropy: 7.99500009348 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.28 entropy: 7.99787066785 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.29 entropy: 7.9932411667 Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.3 entropy: 7.997978048 Jump to dropped file
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\4b3b27.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3CCD.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D2C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D4C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D6C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3DBC.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{B95F3E55-F3A2-459E-ACB1-42A9918E3822} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3E49.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI435B.tmp Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI3CCD.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_04032015 3_2_04032015
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007AE8D0 8_2_00007FFE007AE8D0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007DC0E8 8_2_00007FFE007DC0E8
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007C1120 8_2_00007FFE007C1120
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007C4A10 8_2_00007FFE007C4A10
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007D69A0 8_2_00007FFE007D69A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007AB2C8 8_2_00007FFE007AB2C8
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007D3300 8_2_00007FFE007D3300
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007B6B3C 8_2_00007FFE007B6B3C
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007AFA60 8_2_00007FFE007AFA60
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007CBA60 8_2_00007FFE007CBA60
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007C5290 8_2_00007FFE007C5290
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007B2430 8_2_00007FFE007B2430
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007BB3A0 8_2_00007FFE007BB3A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007DAD0C 8_2_00007FFE007DAD0C
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007BC500 8_2_00007FFE007BC500
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007B9C50 8_2_00007FFE007B9C50
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007B6464 8_2_00007FFE007B6464
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007C2CA0 8_2_00007FFE007C2CA0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007C7714 8_2_00007FFE007C7714
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007C4E50 8_2_00007FFE007C4E50
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007BD660 8_2_00007FFE007BD660
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007C1680 8_2_00007FFE007C1680
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007DFEBA 8_2_00007FFE007DFEBA
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007AC6B0 8_2_00007FFE007AC6B0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007CAFD0 8_2_00007FFE007CAFD0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007D57E0 8_2_00007FFE007D57E0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007DC7E0 8_2_00007FFE007DC7E0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007D3808 8_2_00007FFE007D3808
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007BE810 8_2_00007FFE007BE810
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007D5010 8_2_00007FFE007D5010
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007DA038 8_2_00007FFE007DA038
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007C5F40 8_2_00007FFE007C5F40
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007B97A0 8_2_00007FFE007B97A0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007B67BC 8_2_00007FFE007B67BC
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007AD7B0 8_2_00007FFE007AD7B0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE1A457238 8_2_00007FFE1A457238
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE5E820 9_2_00007FF63EE5E820
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE037E0 9_2_00007FF63EE037E0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDB1BD0 9_2_00007FF63EDB1BD0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EF35CB0 9_2_00007FF63EF35CB0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDBEBA0 9_2_00007FF63EDBEBA0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE96B80 9_2_00007FF63EE96B80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE9DB70 9_2_00007FF63EE9DB70
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EEC5B40 9_2_00007FF63EEC5B40
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDEDD30 9_2_00007FF63EDEDD30
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE2DC80 9_2_00007FF63EE2DC80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE47880 9_2_00007FF63EE47880
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDBC440 9_2_00007FF63EDBC440
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDCC840 9_2_00007FF63EDCC840
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EF35C30 9_2_00007FF63EF35C30
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE92980 9_2_00007FF63EE92980
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE5FD80 9_2_00007FF63EE5FD80
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EEF095C 9_2_00007FF63EEF095C
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE00330 9_2_00007FF63EE00330
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE7FF00 9_2_00007FF63EE7FF00
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDFB6F0 9_2_00007FF63EDFB6F0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDBE2A0 9_2_00007FF63EDBE2A0
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EEC4A90 9_2_00007FF63EEC4A90
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE59690 9_2_00007FF63EE59690
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE90280 9_2_00007FF63EE90280
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EE62280 9_2_00007FF63EE62280
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDF9260 9_2_00007FF63EDF9260
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDC1270 9_2_00007FF63EDC1270
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EECF660 9_2_00007FF63EECF660
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14 6B3265B2F82E206BED8B6CD56C2A3F0FA9D8FD027E19A9713DA618B177D9264B
Source: Joe Sandbox View Dropped File: C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50 34397DE1D9DC94AAA08CA1D267B64B0E12CCABA008BABE6F592E563F00DC874B
Found potential string decryption / allocating functions
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: String function: 00007FF63EDE4F50 appears 31 times
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: String function: 00007FF63EF14A90 appears 188 times
One or more processes crash
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2500 -s 580
PE file contains executable resources (Code or Archives)
Source: xmpp.dll.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
PE file contains more sections than normal
Source: chrome.exe.8.dr Static PE information: Number of sections : 12 > 10
Source: xmpp.dll.1.dr Static PE information: Number of sections : 11 > 10
Source: chrome_pwa_launcher.exe.8.dr Static PE information: Number of sections : 13 > 10
Source: chrome_elf.dll.8.dr Static PE information: Number of sections : 14 > 10
Sample file is different than original file name gathered from version info
Source: Br_i421i2-2481-125_754864.msi Binary or memory string: OriginalFilenameAICustAct.dllF vs Br_i421i2-2481-125_754864.msi
Source: Br_i421i2-2481-125_754864.msi Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs Br_i421i2-2481-125_754864.msi
Source: chrome_elf.dll.8.dr Static PE information: Section: .dim ZLIB complexity 0.999755117306231
Source: classification engine Classification label: mal80.rans.troj.evad.winMSI@12/188@0/0
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007AA690 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn, 8_2_00007FFE007AA690
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Roaming\Microsoft\CML3E73.tmp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2500
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\TEMP\~DF737FEAFB5F47DDDF.TMP Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Br_i421i2-2481-125_754864.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Process created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2500 -s 580
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Process created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: msvcp140_app.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: vcruntime140_1_app.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: vcruntime140_app.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: vcruntime140_1_app.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: mpr.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: magnification.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Br_i421i2-2481-125_754864.msi Static file information: File size 9782272 > 1048576
Source: Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdb source: vcomp140_app.dll.1.dr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\initialexe\chrome.exe.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2017631838.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp, chrome.exe, 00000009.00000002.2301567835.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp, chrome.exe, 00000009.00000000.2061595070.00007FF63EF9F000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Br_i421i2-2481-125_754864.msi, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: Br_i421i2-2481-125_754864.msi, MSI3E49.tmp.1.dr, 4b3b29.rbs.1.dr
Source: Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\msvcp140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000008.00000002.2073862557.00007FFE007F5000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\chrome_pwa_launcher.exe.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2029891072.00007DF4924A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WebExperienceHostApp.pdb&& source: WebExperienceHostApp.exe, 00000008.00000000.2006121013.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source: Binary string: WebExperienceHostApp.pdb source: WebExperienceHostApp.exe, 00000008.00000000.2006121013.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe, 00000008.00000002.2073752558.00007FF61949A000.00000002.00000001.01000000.00000006.sdmp, WebExperienceHostApp.exe.1.dr
Source: Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcruntime140_app.amd64.pdb source: WebExperienceHostApp.exe, 00000008.00000002.2074005137.00007FFE1A461000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: mrt100_app.pdb source: mrt100_app.dll.1.dr
Source: Binary string: d:\a01\_work\3\s\\binaries\amd64ret\bin\amd64\\app\\vcomp140_app.amd64.pdbGCTL source: vcomp140_app.dll.1.dr
Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\vulkan-1.dll.pdb source: WebExperienceHostApp.exe, 00000008.00000003.2050593930.00007DF4924C0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: B.pdb source: external_extensions_0000x.57.8.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Br_i421i2-2481-125_754864.msi, 4b3b27.msi.1.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FF619492AA0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary, 8_2_00007FF619492AA0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .nFA
PE file contains sections with non-standard names
Source: mrt100_app.dll.1.dr Static PE information: section name: .didat
Source: vcruntime140_1_app.dll.1.dr Static PE information: section name: .didata
Source: vcruntime140_app.dll.1.dr Static PE information: section name: _RDATA
Source: xmpp.dll.1.dr Static PE information: section name: .didata
Source: chrome.exe.8.dr Static PE information: section name: .gxfg
Source: chrome.exe.8.dr Static PE information: section name: .retplne
Source: chrome.exe.8.dr Static PE information: section name: CPADinfo
Source: chrome.exe.8.dr Static PE information: section name: _RDATA
Source: chrome.exe.8.dr Static PE information: section name: malloc_h
Source: chrome_elf.dll.8.dr Static PE information: section name: .didata
Source: chrome_elf.dll.8.dr Static PE information: section name: .dim
Source: chrome_elf.dll.8.dr Static PE information: section name: ..yy
Source: chrome_elf.dll.8.dr Static PE information: section name: .g1t
Source: chrome_elf.dll.8.dr Static PE information: section name: .nFA
Source: chrome_pwa_launcher.exe.8.dr Static PE information: section name: .00cfg
Source: chrome_pwa_launcher.exe.8.dr Static PE information: section name: .gxfg
Source: chrome_pwa_launcher.exe.8.dr Static PE information: section name: .retplne
Source: chrome_pwa_launcher.exe.8.dr Static PE information: section name: LZMADEC
Source: chrome_pwa_launcher.exe.8.dr Static PE information: section name: _RDATA
Source: chrome_pwa_launcher.exe.8.dr Static PE information: section name: malloc_h
Source: vulkan-1.dll.8.dr Static PE information: section name: .gxfg
Source: vulkan-1.dll.8.dr Static PE information: section name: .retplne
Source: vulkan-1.dll.8.dr Static PE information: section name: _RDATA
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007DD180 pushfq ; retf 0000h 8_2_00007FFE007DD181
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007DF6C4 pushfq ; ret 8_2_00007FFE007DF6C5
Drops PE files
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\xmpp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D2C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI435B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\mrt100_app.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\msvcp140_app.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\vcomp140_app.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\vcruntime140_app.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3CCD.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\vcamp140_app.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3DBC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D6C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D4C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\appData\vccorlib140_app.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe File created: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D2C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI435B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3CCD.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3DBC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D6C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI3D4C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDC06F0 rdtsc 9_2_00007FF63EDC06F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6229 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3605 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3D2C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\xmpp.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI435B.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vcomp140_app.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\mrt100_app.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3CCD.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3DBC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vcamp140_app.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3D6C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI3D4C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\appData\vccorlib140_app.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Dropped PE file which has not been started: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe API coverage: 1.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792 Thread sleep count: 6229 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7792 Thread sleep count: 3605 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7824 Thread sleep time: -17524406870024063s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FFE007AA230 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn, 8_2_00007FFE007AA230
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: powershell.exe, 00000003.00000002.2006872673.0000000000539000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: }\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ttG[
Source: powershell.exe, 00000003.00000002.2006872673.0000000000539000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: powershell.exe, 00000003.00000002.2011514359.0000000006B30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: powershell.exe, 00000003.00000002.2012217755.0000000006BED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDC06F0 rdtsc 9_2_00007FF63EDC06F0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FF6194940E0 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 8_2_00007FF6194940E0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FF619492AA0 LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,FreeLibrary, 8_2_00007FF619492AA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FF619496CB0 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 8_2_00007FF619496CB0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EEDD548 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00007FF63EEDD548

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Br_i421i2-2481-125_754864.msi, type: SAMPLE
Source: Yara match File source: amsi32_7712.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7712, type: MEMORYSTR
Source: Yara match File source: C:\Windows\Installer\MSI3E49.tmp, type: DROPPED
Source: Yara match File source: C:\Config.Msi\4b3b29.rbs, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\4b3b27.msi, type: DROPPED
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe "C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss43f5.ps1" -propfile "c:\users\user\appdata\local\temp\msi43e2.txt" -scriptfile "c:\users\user\appdata\local\temp\scr43e3.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr43e4.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss43f5.ps1" -propfile "c:\users\user\appdata\local\temp\msi43e2.txt" -scriptfile "c:\users\user\appdata\local\temp\scr43e3.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr43e4.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue." Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: ___lc_locale_name_func,GetLocaleInfoEx, 8_2_00007FFE007CFAE0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe Code function: 8_2_00007FF619491954 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 8_2_00007FF619491954
Source: C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe Code function: 9_2_00007FF63EDBD9E0 GetVersionExW,GetProductInfo,GetNativeSystemInfo, 9_2_00007FF63EDBD9E0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447349 Sample: Br_i421i2-2481-125_754864.msi Startdate: 24/05/2024 Architecture: WINDOWS Score: 80 57 Antivirus detection for URL or domain 2->57 59 Yara detected Powershell download and execute 2->59 61 Yara detected MalDoc 2->61 63 2 other signatures 2->63 10 msiexec.exe 23 50 2->10         started        13 msiexec.exe 2 2->13         started        process3 file4 43 C:\Users\user\...\WebExperienceHostApp.exe, PE32+ 10->43 dropped 45 C:\Windows\Installer\MSI3E49.tmp, data 10->45 dropped 47 C:\Windows\Installer\4b3b27.msi, Composite 10->47 dropped 49 15 other files (1 malicious) 10->49 dropped 15 msiexec.exe 9 10->15         started        process5 file6 51 C:\Users\user\AppData\Local\...\scr43E3.ps1, Unicode 15->51 dropped 53 C:\Users\user\AppData\Local\...\pss43F5.ps1, Unicode 15->53 dropped 55 Bypasses PowerShell execution policy 15->55 19 powershell.exe 17 20 15->19         started        signatures7 process8 file9 33 C:\Users\user\AppData\Local\...\24052024.zip, data 19->33 dropped 65 Writes many files with high entropy 19->65 23 WebExperienceHostApp.exe 147 19->23         started        27 conhost.exe 19->27         started        signatures10 process11 file12 35 C:\...\external_extensions_0000x.50, COM 23->35 dropped 37 C:\...\external_extensions_0000x.14, DOS 23->37 dropped 39 C:\...\external_extensions_0000x.99, data 23->39 dropped 41 134 other files (130 malicious) 23->41 dropped 67 Writes many files with high entropy 23->67 29 chrome.exe 23->29         started        signatures13 process14 process15 31 WerFault.exe 20 16 29->31         started       
No contacted IP infos