Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

Br_i421i2-2481-125_754864.msi

Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Last Printed: Fri Dec 11 11:47:44 2009, Last Saved Time/Date: Fri Sep 18 15:06:51 2020, Security: 0, Code page: 1252, Revision Number: {2DB5220B-06B7-4340-8D25-6BB9D51802F1}, Number of Words: 10, Subject: Acrobat Reader, Author: Acrobat Reader, Name of Creating Application: Acrobat Reader, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Acrobat Reader., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Wed May 22 20:11:17 2024, Number of Pages: 200

initial sample

C:\Config.Msi\4b3b29.rbs

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.1

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.10

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.100

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.101

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.102

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.103

OpenPGP Secret Key

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.104

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.105

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.106

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.107

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.109

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.11

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.110

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.111

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.112

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.113

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.114

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.115

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.116

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.117

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.118

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.119

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.12

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.120

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.121

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.122

OpenPGP Secret Key

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.123

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.124

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.125

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.126

OpenPGP Public Key

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.127

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.128

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.129

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.13

PGP Secret Sub-key -

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.130

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.131

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.132

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.133

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.134

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.14

DOS executable (COM, 0x8C-variant)

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.15

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.16

OpenPGP Public Key

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.17

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.18

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.19

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.2

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.20

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.21

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.22

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.23

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.24

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.25

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.26

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.27

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.28

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.29

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.3

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.30

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.31

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.32

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.33

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.34

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.35

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.36

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.37

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.38

OpenPGP Secret Key

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.39

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.4

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.40

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.41

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.42

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.43

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.44

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.45

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.46

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.47

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.48

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.49

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.5

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.50

COM executable for DOS

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.51

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.52

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.53

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.54

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.55

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.56

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.57

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.58

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.59

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.6

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.60

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.61

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.62

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.63

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.64

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.65

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.66

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.67

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.68

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.69

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.7

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.70

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.71

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.72

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.73

OpenPGP Public Key

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.74

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.75

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.76

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.77

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.78

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.79

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.8

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.80

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.81

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.82

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.83

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.84

OpenPGP Secret Key

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.85

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.86

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.87

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.88

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.89

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.9

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.90

SysEx File -

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.91

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.92

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.93

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.94

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.95

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.96

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.97

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.98

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.99

data

dropped

C:\Users\user\AppData\Local\Temp\pss43F5.ps1

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Temp\scr43E3.ps1

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\appData\24052024.zip

data

dropped

C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\Windows\Installer\4b3b27.msi

dropped

C:\Windows\Installer\MSI3E49.tmp

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\124.0.6367.119.manifest

ASCII text, with CRLF line terminators

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\Extensions\external_extensions_0000x.108

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_100_percent.pak

data

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_elf.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome_pwa_launcher.exe

PE32+ executable (GUI) x86-64, for MS Windows

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\file.cur

MS Windows cursor resource - 1 icon, 32x32, hotspot @0x0

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\vk_swiftshader_icd.json

ASCII text, with no line terminators

dropped

C:\ProgramData\Chrome\Application\118.0.5993.120\vulkan-1.dll

PE32+ executable (DLL) (console) x86-64, for MS Windows

dropped

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_chrome.exe_c93e2ab35bf4e24e0cdcd22579377d3186fb6_5aba68d6_97dfc3d3-9e4c-4157-8c91-42bd7040bc82\Report.wer

Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER25E5.tmp.dmp

Mini DuMP crash report, 14 streams, Fri May 24 19:00:17 2024, 0x1205a4 type

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER26F0.tmp.WERInternalMetadata.xml

XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators

dropped

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2720.tmp.xml

XML 1.0 document, ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

data

dropped

C:\Users\user\AppData\Local\Temp\Pro43F6.tmp

ASCII text

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4l0adzgv.f10.psm1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqfxtzvr.pkr.ps1

ASCII text, with no line terminators

dropped

C:\Users\user\AppData\Local\appData\mrt100_app.dll

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\appData\msvcp140_app.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\appData\vcamp140_app.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\appData\vccorlib140_app.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\appData\vcomp140_app.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\appData\vcruntime140_1_app.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\appData\vcruntime140_app.dll

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Local\appData\xmpp.dll

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI3CCD.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI3D2C.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI3D4C.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI3D6C.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI3DBC.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\Installer\MSI435B.tmp

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

modified

C:\Windows\Installer\SourceHash{B95F3E55-F3A2-459E-ACB1-42A9918E3822}

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Installer\inprogressinstallinfo.ipi

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

dropped

C:\Windows\Temp\~DF030AC1A6B470813A.TMP

data

dropped

C:\Windows\Temp\~DF249FF4A81CEC50A5.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DF2F56BE0322273DFA.TMP

data

dropped

C:\Windows\Temp\~DF3ACE805C130034D7.TMP

data

dropped

C:\Windows\Temp\~DF45C782A85B1BC005.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DF6AC326494C7E6F0F.TMP

data

dropped

C:\Windows\Temp\~DF713A5559E2D8AB5D.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DF737FEAFB5F47DDDF.TMP

data

dropped

C:\Windows\Temp\~DFA6F00C61547C5A95.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DFCADE276437B8876E.TMP

Composite Document File V2 Document, Cannot read section info

dropped

C:\Windows\Temp\~DFD735E1EFE24DAF39.TMP

data

dropped

C:\Windows\Temp\~DFF86D41EBB18B0485.TMP

data

dropped

C:\Windows\appcompat\Programs\Amcache.hve

MS Windows registry file, NT/2000 or above

dropped

There are 179 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Br_i421i2-2481-125_754864.msi"

Details

Is windows:	true
Is dropped:	false
PID:	7456
Target ID:	0
Parent PID:	2580
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Br_i421i2-2481-125_754864.msi"
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	14:59:17
Date:	24/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d0cd0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious MsiExec Embedding Parent	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Details

Is windows:	true
Is dropped:	false
PID:	7488
Target ID:	1
Parent PID:	620
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\System32\msiexec.exe
Commandline:	C:\Windows\system32\msiexec.exe /V
Size:	69632
MD5:	E5DA170027542E25EDE42FC54C929077
Time:	14:59:17
Date:	24/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d0cd0000
Modulesize:	94208
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious MsiExec Embedding Parent	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B

Details

Is windows:	true
Is dropped:	false
PID:	7572
Target ID:	2
Parent PID:	7488
Name:	msiexec.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\msiexec.exe
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 182CBD29A8DE3C0ACD2328E3D85CE97B
Size:	59904
MD5:	9D09DC1EDA745A5F87553048E57620CF
Time:	14:59:18
Date:	24/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x740000
Modulesize:	73728
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious MsiExec Embedding Parent	System Summary
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."

Details

Is windows:	true
Is dropped:	false
PID:	7712
Target ID:	3
Parent PID:	7572
Name:	powershell.exe
Class:	powershell
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Commandline:	-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss43F5.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi43E2.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr43E3.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr43E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Size:	433152
MD5:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Time:	14:59:19
Date:	24/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x630000
Modulesize:	446464
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected Powershell download and execute	HIPS / PFW / Operating System Protection Evasion
Bypasses PowerShell execution policy	HIPS / PFW / Operating System Protection Evasion	PowerShell
Sigma detected: Script Interpreter Execution From Suspicious Folder	System Summary
Sigma detected: Suspicious Script Execution From Temp Folder	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Change PowerShell Policies to an Insecure Level	System Summary
Sigma detected: Suspicious MsiExec Embedding Parent	System Summary
Very long cmdline option found, this is very uncommon (may be encrypted or packed)	HIPS / PFW / Operating System Protection Evasion	Command and Scripting Interpreter
Sigma detected: Non Interactive PowerShell Process Spawned	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe

"C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7204
Target ID:	8
Parent PID:	7712
Name:	WebExperienceHostApp.exe
Path:	C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe
Commandline:	"C:\Users\user\AppData\Local\appData\WebExperienceHostApp.exe"
Size:	55808
MD5:	53AB9B8198E8AD8D3A043F40E72B1AB1
Time:	14:59:51
Date:	24/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff619490000
Modulesize:	73728
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7720
Target ID:	4
Parent PID:	7712
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	14:59:20
Date:	24/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe

Details

Is windows:	false
Is dropped:	true
PID:	2500
Target ID:	9
Parent PID:	7204
Name:	chrome.exe
Path:	C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Commandline:	C:\ProgramData\Chrome\Application\118.0.5993.120\chrome.exe
Size:	2790176
MD5:	1913EFB2223B24D2A47FAD0A1AAD8F19
Time:	14:59:56
Date:	24/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff63edb0000
Modulesize:	2854912
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Spawns processes	System Summary	Process Injection
Binary contains paths to debug symbols	Compliance, System Summary

C:\Windows\System32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2500 -s 580

Details

Is windows:	true
Is dropped:	false
PID:	7444
Target ID:	11
Parent PID:	2500
Name:	WerFault.exe
Path:	C:\Windows\System32\WerFault.exe
Commandline:	C:\Windows\system32\WerFault.exe -u -p 2500 -s 580
Size:	570736
MD5:	FD27D9F6D02763BDE32511B5DF7FF7A0
Time:	15:00:17
Date:	24/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff6c57c0000
Modulesize:	581632
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
One or more processes crash	System Summary
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://pesterbdd.com/images/Pester.png

unknown

http://nuget.org/NuGet.exe

unknown

https://crashpad.chromium.org/

unknown

https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.br

unknown

http://www.apachefriends.org/f/viewforum.php?f=4

unknown

https://bost.blob.core.wi

unknown

http://schemas.xmlsoap.org/soap/encoding/

unknown

https://advocaciavirtualmw.com/ProcessosAbril/processojudiciario.gov.brFMX_STYLE

unknown

http://www.apache.org/licenses/LICENSE-2.0.html

unknown

http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

unknown

https://go.micro

unknown

https://crashpad.chromium.org/bug/new

unknown

http://www.movable-type.co.uk/scripts/xxtea.pdf

unknown

http://tools.ietf.org/html/rfc1321

unknown

https://contoso.com/License

unknown

https://jaspreser.dev.br/.well-known/acme-challenge/Relatorios_xls_mensal

unknown

http://schemas.xmlsoap.org/soap/envelope/

unknown

http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf

unknown

http://www.schneier.com/paper-twofish-paper.pdf

unknown

https://contoso.com/Icon

unknown

https://bost.blo

unknown

http://www.ietf.org/rfc/rfc3447.txt

unknown

https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new

unknown

http://www.schneier.com/paper-blowfish-fse.html

unknown

https://github.com/Pester/Pester

unknown

http://www.itl.nist.gov/fipspubs/fip180-1.htm

unknown

http://crl.microQ

unknown

http://csrc.nist.gov/publications/drafts/800-67-rev1/SP-800-67-rev1-2_July-2011.pdf

unknown

http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

unknown

http://www.apachefriends.org/f/viewforum.php?f=16

unknown

http://csrc.nist.gov/publications/drafts/fips180-4/Draft-FIPS180-4_Feb2011.pdf

unknown

http://www.borland.com/namespaces/Types

unknown

https://aka.ms/pscore6lB

unknown

http://tools.ietf.org/html/rfc4648

unknown

https://bost.blo(f

unknown

https://contoso.com/

unknown

https://nuget.org/nuget.exe

unknown

http://www.borland.com/namespaces/Types03

unknown

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

unknown

http://schemas.xmlsoap.org/soap/encoding/03

unknown

There are 30 hidden URLs, click here to show them.

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Owner

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

SessionHash

HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000

Sequence

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Config.Msi\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts

C:\Config.Msi\4b3b29.rbs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts

C:\Config.Msi\4b3b29.rbsLow

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Microsoft\Installer\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\6C6D806D1D1EFE84EA93068356D28D04

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\C8F7E0D08C4B68946A3723E7CD17EE4C

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\9A67AB190820F794FB0C4A7CC5BD6020

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\F89130AF293B4314DA02FD92CA534214

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\B3680D584F89FA444BCE3497635CFBCE

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\47C7E68572914D14C9B62A09F304C89C

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\0D753F396707A4640A184929109E6ACF

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\0CC61C26A19633D49B59BEC768E070E4

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\FCCF92553A74A644195433EA35C18848

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\6D32A2A1BC8329E4095F9C4421DEFE55

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-2246122658-3693405117-2476756634-1002\Components\8A379BD0A10B8E7459DD14F9C51571B1

55E3F59B2A3FE954CA1B249A19E88322

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Acrobat Reader\Acrobat Reader\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Roaming\Acrobat Reader\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders

C:\Users\user\AppData\Local\appData\

HKEY_CURRENT_USER\SOFTWARE\Acrobat Reader\Acrobat Reader

Version

HKEY_CURRENT_USER\SOFTWARE\Acrobat Reader\Acrobat Reader

Path

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\24\417C44EB

@%SystemRoot%\system32\dnsapi.dll,-103

HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\24\417C44EB

@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32

FileDirectory

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS

EnableFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS

EnableAutoFileTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS

EnableConsoleTracing

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS

FileTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS

ConsoleTracingMask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS

MaxFileSize

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS

FileDirectory