Edit tour

Windows Analysis Report
IRPF2024-0940959038w904598304w985036.msi

Overview

General Information

Sample name:	IRPF2024-0940959038w904598304w985036.msi
Analysis ID:	1513060
MD5:	55e1b6a518bc3e243d8d856ee17430aa
SHA1:	f83dc91c91f89d6a321892d54b4de229041b07d1
SHA256:	baf5979f4c227be5b3f1bf4f03e5902e8b7fcc2dad38068f363a0096cb12a536
Tags:	msi
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Creates multiple autostart registry keys

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Checks for available system drives (often done to infect USB drives)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

Launches processes in debugging mode, may be used to hinder debugging

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 6860 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\IRPF2024-0940959038w904598304w985036.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 4892 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 2244 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 5B841E4EC1525DEC8E125CA4E79284A2 MD5: 9D09DC1EDA745A5F87553048E57620CF)

Flexpcis.exe (PID: 5976 cmdline: "C:\Users\user\Contacts\Flexpcis.exe" MD5: E04F15D35A1807C4D74D2538D5FE28C9)

Flexpcis.exe (PID: 1008 cmdline: "C:\Users\user\Contacts\Flexpcis.exe" MD5: E04F15D35A1807C4D74D2538D5FE28C9)

WerFault.exe (PID: 6068 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6024 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Flexpcis.exe (PID: 672 cmdline: "C:\Users\user\Contacts\Flexpcis.exe" MD5: E04F15D35A1807C4D74D2538D5FE28C9)

WerFault.exe (PID: 1080 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 724 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 6440 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Flexpcis.exe (PID: 5648 cmdline: "C:\Users\user\Contacts\Flexpcis.exe" MD5: E04F15D35A1807C4D74D2538D5FE28C9)

WerFault.exe (PID: 6736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3912 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 628 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Flexpcis.exe (PID: 5908 cmdline: "C:\Users\user\Contacts\Flexpcis.exe" MD5: E04F15D35A1807C4D74D2538D5FE28C9)

WerFault.exe (PID: 2704 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 624 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5516 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 1004 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Contacts\Flexpcis.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\msiexec.exe, ProcessId: 4892, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Novo Valor

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-18T12:32:28.265873+0200	2803304	3	Unknown Traffic	192.168.2.6	49715	50.116.112.138	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Contacts\Drivespan.dll

Virustotal: Detection: 32%

Perma Link

Multi AV Scanner detection for submitted file

Source: IRPF2024-0940959038w904598304w985036.msi

Virustotal: Detection: 7%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source:

Binary string: c:\builds\workspace\Applications\Transfer_common\src\Release\Transfer.pdb source: Flexpcis.exe, 00000004.00000000.2175400389.000000000011F000.00000002.00000001.01000000.00000003.sdmp, Flexpcis.exe, 00000006.00000000.2285448613.000000000011F000.00000002.00000001.01000000.00000003.sdmp, Flexpcis.exe, 00000006.00000002.2741170201.000000000011F000.00000002.00000001.01000000.00000003.sdmp, Flexpcis.exe, 00000009.00000000.2372725998.000000000011F000.00000002.00000001.01000000.00000003.sdmp, Flexpcis.exe, 00000009.00000002.2826466455.000000000011F000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_001175CA FindFirstFileExW,

6_2_001175CA

Source: global traffic

HTTP traffic detected: GET /dddd/inspecionando.php HTTP/1.1Host: www.rodovalhoadvogados.com.brCache-Control: no-cache

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49715 -> 50.116.112.138:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /dddd/inspecionando.php HTTP/1.1Host: www.rodovalhoadvogados.com.brCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.rodovalhoadvogados.com.br

Source: Flexpcis.exe, 00000006.00000003.2578838717.0000000003000000.00000004.00001000.00020000.00000000.sdmp, Flexpcis.exe, 00000006.00000002.2793239128.000000006458C000.00000020.00000001.01000000.00000004.sdmp, Flexpcis.exe, 00000009.00000003.2717965588.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, Flexpcis.exe, 00000009.00000002.2833202804.000000006458C000.00000020.00000001.01000000.00000004.sdmp

String found in binary or memory: http://www.indyproject.org/

System Summary

PE file contains section with special chars

Source: Drivespan.dll.2.dr

Static PE information: section name: .}w/

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3c0868.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFFA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1078.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10C7.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1135.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1194.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{8AE8C42A-5150-4814-B7AC-A22D49C22F14}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI129E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3c086b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3c086b.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIFFA.tmp

Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_0011CD15

6_2_0011CD15

Source: Joe Sandbox View	Dropped File: C:\Users\user\Contacts\Flexpcis.exe 7E4132835419E4C415D048B64A5FC2813B8D2FF72BB5586D857DCDF6A90A45F2
Source: Joe Sandbox View	Dropped File: C:\Windows\Installer\MSI1078.tmp 118A551EEF23BF842ED470316AA1A50BF17B6D656652879802D4ACC0184608CA

Source: C:\Users\user\Contacts\Flexpcis.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 628

Source: Drivespan.dll.2.dr

Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: Drivespan.dll.2.dr

Static PE information: Number of sections : 16 > 10

Source: classification engine

Classification label: mal76.evad.winMSI@18/59@1/1

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_00111510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

6_2_00111510

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML12F7.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess672
Source: C:\Users\user\Contacts\Flexpcis.exe	Mutant created: \Sessions\1\BaseNamedObjects\gg24UGs6BG
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5648
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1008
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5908

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF608BC4025E100561.TMP

Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe	Command line argument: -Restart	6_2_001117A0
Source: C:\Users\user\Contacts\Flexpcis.exe	Command line argument: drivespan.dll	6_2_001117A0
Source: C:\Users\user\Contacts\Flexpcis.exe	Command line argument: drivespan.dll	6_2_001117A0
Source: C:\Users\user\Contacts\Flexpcis.exe	Command line argument: run	6_2_001117A0
Source: C:\Users\user\Contacts\Flexpcis.exe	Command line argument: #v	6_2_001117A0

Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IRPF2024-0940959038w904598304w985036.msi

Virustotal: Detection: 7%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\IRPF2024-0940959038w904598304w985036.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5B841E4EC1525DEC8E125CA4E79284A2
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\Contacts\Flexpcis.exe "C:\Users\user\Contacts\Flexpcis.exe"
Source: unknown	Process created: C:\Users\user\Contacts\Flexpcis.exe "C:\Users\user\Contacts\Flexpcis.exe"
Source: unknown	Process created: C:\Users\user\Contacts\Flexpcis.exe "C:\Users\user\Contacts\Flexpcis.exe"
Source: unknown	Process created: C:\Users\user\Contacts\Flexpcis.exe "C:\Users\user\Contacts\Flexpcis.exe"
Source: C:\Users\user\Contacts\Flexpcis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 628
Source: unknown	Process created: C:\Users\user\Contacts\Flexpcis.exe "C:\Users\user\Contacts\Flexpcis.exe"
Source: C:\Users\user\Contacts\Flexpcis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 628
Source: C:\Users\user\Contacts\Flexpcis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 724
Source: C:\Users\user\Contacts\Flexpcis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 628
Source: C:\Users\user\Contacts\Flexpcis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 624
Source: C:\Users\user\Contacts\Flexpcis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 1004
Source: C:\Users\user\Contacts\Flexpcis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 628
Source: C:\Users\user\Contacts\Flexpcis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 628
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 5B841E4EC1525DEC8E125CA4E79284A2	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\Contacts\Flexpcis.exe "C:\Users\user\Contacts\Flexpcis.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: drivespan.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.applicationmodel.store.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: drivespan.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.applicationmodel.store.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: drivespan.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.applicationmodel.store.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: drivespan.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.applicationmodel.store.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: drivespan.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: windows.applicationmodel.store.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: IRPF2024-0940959038w904598304w985036.msi

Static file information: File size 41998336 > 1048576

Source:

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_00111000 LdrInitializeThunk,SHGetFolderPathW,PathFileExistsW,PathFileExistsW,PathFileExistsW,MoveFileExW,PathFileExistsW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,LoadLibraryW,GetProcAddress,FreeLibrary,FreeLibrary,

6_2_00111000

Source: initial sample

Static PE information: section where entry point is pointing to: .}w/

Source: Drivespan.dll.2.dr	Static PE information: section name: .didata
Source: Drivespan.dll.2.dr	Static PE information: section name: .aJ4
Source: Drivespan.dll.2.dr	Static PE information: section name: .7VB
Source: Drivespan.dll.2.dr	Static PE information: section name: .debug
Source: Drivespan.dll.2.dr	Static PE information: section name: ./VW
Source: Drivespan.dll.2.dr	Static PE information: section name: .eW.
Source: Drivespan.dll.2.dr	Static PE information: section name: .}w/

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_00113016 push ecx; ret

6_2_00113029

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1194.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\Contacts\Drivespan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\Contacts\Flexpcis.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1135.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFFA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1078.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10C7.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1194.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1135.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFFA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1078.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10C7.tmp	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Novo Valor			Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Flexpcis.exe			Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Novo Valor	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Novo Valor	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Flexpcis.exe	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Flexpcis.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 2570005 value: E9 8B 2F E1 74	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 77382F90 value: E9 7A D0 1E 8B	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 2690005 value: E9 2B BA CB 74	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 7734BA30 value: E9 DA 45 34 8B	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 26A0008 value: E9 8B 8E CF 74	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 77398E90 value: E9 80 71 30 8B	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 26C0005 value: E9 8B 4D 27 74	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 76934D90 value: E9 7A B2 D8 8B	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 26D0005 value: E9 EB EB 27 74	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 7694EBF0 value: E9 1A 14 D8 8B	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 26E0005 value: E9 8B 8A 24 73	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 75928A90 value: E9 7A 75 DB 8C	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 26F0005 value: E9 2B 02 26 73	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5976 base: 75950230 value: E9 DA FD D9 8C	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: ED0005 value: E9 8B 2F 4B 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 77382F90 value: E9 7A D0 B4 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: EE0005 value: E9 2B BA 46 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 7734BA30 value: E9 DA 45 B9 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: EF0008 value: E9 8B 8E 4A 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 77398E90 value: E9 80 71 B5 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 1320005 value: E9 8B 4D 61 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 76934D90 value: E9 7A B2 9E 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 1330005 value: E9 EB EB 61 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 7694EBF0 value: E9 1A 14 9E 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 2F30005 value: E9 8B 8A 9F 72	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 75928A90 value: E9 7A 75 60 8D	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 2F40005 value: E9 2B 02 A1 72	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 1008 base: 75950230 value: E9 DA FD 5E 8D	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 14D0005 value: E9 8B 2F EB 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 77382F90 value: E9 7A D0 14 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 15F0005 value: E9 2B BA D5 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 7734BA30 value: E9 DA 45 2A 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 1600008 value: E9 8B 8E D9 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 77398E90 value: E9 80 71 26 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 1620005 value: E9 8B 4D 31 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 76934D90 value: E9 7A B2 CE 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 1630005 value: E9 EB EB 31 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 7694EBF0 value: E9 1A 14 CE 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 1640005 value: E9 8B 8A 2E 74	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 75928A90 value: E9 7A 75 D1 8B	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 1650005 value: E9 2B 02 30 74	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 672 base: 75950230 value: E9 DA FD CF 8B	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 520005 value: E9 8B 2F E6 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 77382F90 value: E9 7A D0 19 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 530005 value: E9 2B BA E1 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 7734BA30 value: E9 DA 45 1E 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 540008 value: E9 8B 8E E5 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 77398E90 value: E9 80 71 1A 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 6C0005 value: E9 8B 4D 27 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 76934D90 value: E9 7A B2 D8 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 6D0005 value: E9 EB EB 27 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 7694EBF0 value: E9 1A 14 D8 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 6E0005 value: E9 8B 8A 24 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 75928A90 value: E9 7A 75 DB 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 8D0005 value: E9 2B 02 08 75	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5648 base: 75950230 value: E9 DA FD F7 8A	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 5A0005 value: E9 8B 2F DE 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 77382F90 value: E9 7A D0 21 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 6D0005 value: E9 2B BA C7 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 7734BA30 value: E9 DA 45 38 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 6E0008 value: E9 8B 8E CB 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 77398E90 value: E9 80 71 34 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 700005 value: E9 8B 4D 23 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 76934D90 value: E9 7A B2 DC 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 710005 value: E9 EB EB 23 76	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 7694EBF0 value: E9 1A 14 DC 89	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: AB0005 value: E9 8B 8A E7 74	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 75928A90 value: E9 7A 75 18 8B	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 2620005 value: E9 2B 02 33 73	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Memory written: PID: 5908 base: 75950230 value: E9 DA FD CC 8C	Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A513CF4
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C870B5A
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A4D3123
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A4C919F
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A2C91B3
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C8ADCC2
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C223C19
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C737130
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C2077D4
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A21540D
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C851945
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C712EA2
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C818836
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A291EDE
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C578217
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C713F92
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A49F506
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C2122CD
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C875B11
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A4F952E
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C810BA2
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C87BCC9
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A202318
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A451E42
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C1E4B24
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C20E356
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A36CF98
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C747FE0
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C597817
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C591B3D
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C1E63E1
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A5060BA
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C8556C2
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C8C7728
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A43A6D8
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C825152
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A4F05F6
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A4CEE1A
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C8216A2
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C1EA1E6
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C58B9E9
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C59A056
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A42A367
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A43B8C9
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C83CEE4
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A2148E8
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C2366E3
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A4E9A7A
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C8D4DC8
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6B7795B7
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6A4E3C0B
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C1E9BA8
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C8A0DFE
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C8C570F
Source: C:\Users\user\Contacts\Flexpcis.exe	API/Special instruction interceptor: Address: 6C71CEF2

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_00111510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

6_2_00111510

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1194.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1135.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIFFA.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1078.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI10C7.tmp	Jump to dropped file

Source: C:\Users\user\Contacts\Flexpcis.exe

API coverage: 5.3 %

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_001175CA FindFirstFileExW,

6_2_001175CA

Source: Flexpcis.exe, 00000009.00000002.2834178120.00000000677DD000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: @Idassignednumbers@IdPORT_vmnet
Source: Flexpcis.exe, 00000009.00000002.2834178120.00000000677DD000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: @Idassignednumbers@IdPORT_vmnet$@Idassignednumbers@IdPORT_genrad_mux
Source: Flexpcis.exe, 00000006.00000003.2681373979.0000000000F3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Flexpcis.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe

6_2_00111000

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_001155D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_001155D7

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_00111510 GetModuleFileNameW,GetCurrentProcessId,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Sleep,CloseHandle,Sleep,

6_2_00111510

Source: C:\Users\user\Contacts\Flexpcis.exe

6_2_00111000

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_00116268 mov eax, dword ptr fs:[00000030h]

6_2_00116268

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_00119302 GetProcessHeap,

6_2_00119302

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\Contacts\Flexpcis.exe "C:\Users\user\Contacts\Flexpcis.exe"

Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe	Code function: 6_2_00112821 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00112821
Source: C:\Users\user\Contacts\Flexpcis.exe	Code function: 6_2_001155D7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_001155D7
Source: C:\Users\user\Contacts\Flexpcis.exe	Code function: 6_2_00112DC9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00112DC9
Source: C:\Users\user\Contacts\Flexpcis.exe	Code function: 6_2_00112F17 SetUnhandledExceptionFilter,	6_2_00112F17

Source: Flexpcis.exe, 00000006.00000002.2816061489.0000000066DDD000.00000002.00000001.01000000.00000004.sdmp, Flexpcis.exe, 00000009.00000002.2834178120.0000000066DDD000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: @Winapi@Windows@DOF_PROGMAN

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_0011305C cpuid

6_2_0011305C

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Contacts\Flexpcis.exe

Code function: 6_2_00112CB2 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00112CB2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Command and Scripting Interpreter	11 Registry Run Keys / Startup Folder	2 Process Injection	21 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Process Injection	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	123 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IRPF2024-0940959038w904598304w985036.msi	8%	Virustotal		Browse
IRPF2024-0940959038w904598304w985036.msi	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\Contacts\Drivespan.dll	33%	Virustotal	Browse
C:\Users\user\Contacts\Flexpcis.exe	0%	ReversingLabs
C:\Users\user\Contacts\Flexpcis.exe	0%	Virustotal	Browse
C:\Windows\Installer\MSI1078.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1078.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI10C7.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI10C7.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI1135.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1135.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSI1194.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI1194.tmp	0%	Virustotal	Browse
C:\Windows\Installer\MSIFFA.tmp	0%	ReversingLabs
C:\Windows\Installer\MSIFFA.tmp	0%	Virustotal	Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.rodovalhoadvogados.com.br	2%	Virustotal		Browse
rodovalhoadvogados.com.br	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.indyproject.org/	0%	URL Reputation	safe
http://www.rodovalhoadvogados.com.br/dddd/inspecionando.php	0%	Avira URL Cloud	safe
http://www.rodovalhoadvogados.com.br/dddd/inspecionando.php	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rodovalhoadvogados.com.br	50.116.112.138	true	false	2%, Virustotal, Browse	unknown
www.rodovalhoadvogados.com.br	unknown	unknown	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rodovalhoadvogados.com.br/dddd/inspecionando.php	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.indyproject.org/	Flexpcis.exe, 00000006.00000003.2578838717.0000000003000000.00000004.00001000.00020000.00000000.sdmp, Flexpcis.exe, 00000006.00000002.2793239128.000000006458C000.00000020.00000001.01000000.00000004.sdmp, Flexpcis.exe, 00000009.00000003.2717965588.00000000035B0000.00000004.00001000.00020000.00000000.sdmp, Flexpcis.exe, 00000009.00000002.2833202804.000000006458C000.00000020.00000001.01000000.00000004.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.116.112.138	rodovalhoadvogados.com.br	United States		46606	UNIFIEDLAYER-AS-1US	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1513060
Start date and time:	2024-09-18 12:31:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IRPF2024-0940959038w904598304w985036.msi
Detection:	MAL
Classification:	mal76.evad.winMSI@18/59@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.189.173.21, 20.42.65.92, 13.89.179.12
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, tile-service.weather.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:32:24	API Interceptor	1x Sleep call for process: Flexpcis.exe modified
06:32:57	API Interceptor	8x Sleep call for process: WerFault.exe modified
12:32:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Novo Valor C:\Users\user\Contacts\Flexpcis.exe
12:32:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Novo Valor C:\Users\user\Contacts\Flexpcis.exe
12:32:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Flexpcis.exe C:\Users\user\Contacts\Flexpcis.exe
12:32:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Flexpcis.exe C:\Users\user\Contacts\Flexpcis.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
50.116.112.138	https://www.google.de/amp/s/socorrocargas.com%2fwp-admin%2fcss%2fcolors%2fblue%2fuyp4llyf%2fYWtlc3NsZXJAaW50ZXJhY3Rpb25zLmNvbQ==	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	awb_shipping_doc_03072024224782020031808174CN18030724000000324(991KB).vbs	Get hash	malicious	GuLoader	Browse	192.185.217.247
	EIirQiZnX9.img	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	https://www.seggprotegido.com.br/core/fonts/css/	Get hash	malicious	Unknown	Browse	162.214.199.240
	Hamilton Heating Air RFP Proposal 204FFP10.docx	Get hash	malicious	Unknown	Browse	108.167.132.147
	Hamilton Heating Air RFP Proposal 204FFP10.docx	Get hash	malicious	Unknown	Browse	108.167.132.147
	VAT Approval_Jul-Aug 2024 Salesforce LTD.eml	Get hash	malicious	Unknown	Browse	192.185.185.200
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	198.57.247.184
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	198.57.247.184
	Davislaw_Document_3Pages_Fine.pdf.html	Get hash	malicious	HTMLPhisher	Browse	69.49.245.172
	Documenti di spedizione 0003948855990055.bat.exe	Get hash	malicious	AgentTesla	Browse	192.185.13.234

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Contacts\Flexpcis.exe	NFeNFCe.msi	Get hash	malicious	Unknown	Browse
C:\Users\user\Contacts\Flexpcis.exe	Fct63e39.msi	Get hash	malicious	Unknown	Browse
C:\Windows\Installer\MSI1078.tmp	danf082024xml.msi	Get hash	malicious	Unknown	Browse
	https://rfindustria.com.br/wp-content/uploads/Nota_2024brs.zip	Get hash	malicious	Unknown	Browse
	XML202407brs.msi	Get hash	malicious	Unknown	Browse
	fin.746.msi	Get hash	malicious	Unknown	Browse
	Setup.msi	Get hash	malicious	Unknown	Browse
	NF_e_07_2024_XML__.msi	Get hash	malicious	Unknown	Browse
	Dramatisation.msi	Get hash	malicious	Matanbuchus	Browse
	NF_e_22_05_36543547357358BR.msi	Get hash	malicious	Unknown	Browse
	HomeDesk.msi	Get hash	malicious	Unknown	Browse
	NFs_468.msi	Get hash	malicious	VMdetect	Browse

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	11646
Entropy (8bit):	5.5289030362271285
Encrypted:	false
SSDEEP:	96:VYRBoAK8A1oi6IyRC1BnQrnFLRUnBb5qYUkUTEETCYThq0NUkUTEETCGjkdhyvpr:VYk9B1oiHSABY3QEOEcQEOkJE//pVS
MD5:	4CDF3D3C1C6C66CB6FED4F1ADF84C0C5
SHA1:	36F77E4E1A901118B2D51685265DDB5785B31EF2
SHA-256:	08604F44E23BEE486FA548E65EC40CC2442ACEFA314A71209E311E21F0E24204
SHA-512:	1457FAB807B1B4EDED428ACDC30467D1957673A1CD9105FA9BB3CACAA16F88ABBABF6C6065CCB6F05FAF3D833CB90985D60E15482D4F35CF89ADB5E6D39C7254
Malicious:	false
Preview:	...@IXOS.@.....@.42Y.@.....@.....@.....@.....@.....@......&.{8AE8C42A-5150-4814-B7AC-A22D49C22F14} .Microsoft-Edge-Web-View2-Runtime(.IRPF2024-0940959038w904598304w985036.msi.@.....@.....@.....@........&.{182C5263-9A4F-4811-9832-23486A29A112}.....@.....@.....@.....@.......@.....@.....@.......@.... .Microsoft-Edge-Web-View2-Runtime......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{D85BA408-01F5-4AFD-AD63-1EA8CE77B976}&.{8AE8C42A-5150-4814-B7AC-A22D49C22F14}.@......&.{B5D76D82-8DC1-4B7E-8DC8-49EA79186188}&.{8AE8C42A-5150-4814-B7AC-A22D49C22F14}.@......&.{BC4FEDCD-3E0E-4107-9E61-FB50233A89F0}&.{8AE8C42A-5150-4814-B7AC-A22D49C22F14}.@......&.{484CC30A-1C9E-4E93-BFCE-F924EF61B954}&.{8AE8C42A-5150-4814-B7AC-A22D49C22F14}.@......&.{C36507B6-9328-4E18-9954-CF8127F08E40}&.{8AE8C42A-5150-4814-B7AC-A22D49C22F14}.@......&.{2DF34131-CE60-4311-A01A-81420BB1044D}&.{8AE8C4

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0434207362542725
Encrypted:	false
SSDEEP:	192:wJGpkkpvKGf0e9lXjHBuZrFa2dzuiFVZ24IO8T:/koiGMe9lXj4zuiFVY4IO8T
MD5:	B9C0B85C5478E24F7C4E0A8336A18CBC
SHA1:	C14BF840DCD06C0EF6F8F2848944EA501A02594A
SHA-256:	A863A928BA011A41D87B41354E13CF3FB7561D33D2571F3FFBEC3928CADBCADA
SHA-512:	779531D08C4A4F790B96CBC4FECFB43404EB5FCB2808CCD877C7BA950E07C324E27E22B6143DA8DA0A2DE6AE76C9AB4A16DDB2B0B6E9EE48EE6E1AC62BEA8C29
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.1.2.9.1.7.9.5.6.3.3.4.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.1.2.9.1.8.1.8.2.9.0.5.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.4.4.5.a.f.0.9.-.0.b.9.6.-.4.6.5.7.-.9.3.7.e.-.3.7.1.6.b.5.d.9.c.b.3.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.0.a.5.2.2.6.-.4.5.5.2.-.4.8.9.c.-.9.7.8.9.-.d.5.2.3.7.d.f.d.1.4.6.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.F.l.e.x.p.c.i.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.r.a.n.s.f.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.3.f.0.-.0.0.0.1.-.0.0.1.5.-.0.d.7.0.-.a.0.0.9.b.6.0.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.1.a.b.7.9.5.a.c.3.d.e.3.6.7.c.2.f.1.b.7.b.6.f.0.c.e.2.7.e.2.2.0.0.0.0.0.9.0.4.!.0.0.0.0.9.a.4.2.b.3.8.7.b.a.b.d.e.a.7.1.9.d.5.4.c.1.e.1.1.b.a.a.e.9.f.d.b.9.8.9.7.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {182C5263-9A4F-4811-9832-23486A29A112}, Number of Words: 10, Subject: Microsoft-Edge-Web-View2-Runtime, Author: Microsoft, Name of Creating Application: Microsoft-Edge-Web-View2-Runtime, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Microsoft-Edge-Web-View2-Runtime., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Tue Sep 17 18:28:10 2024, Last Saved Time/Date: Tue Sep 17 18:28:10 2024, Last Printed: Tue Sep 17 18:28:10 2024, Number of Pages: 450
Entropy (8bit):	7.988801588430793
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	IRPF2024-0940959038w904598304w985036.msi
File size:	41'998'336 bytes
MD5:	55e1b6a518bc3e243d8d856ee17430aa
SHA1:	f83dc91c91f89d6a321892d54b4de229041b07d1
SHA256:	baf5979f4c227be5b3f1bf4f03e5902e8b7fcc2dad38068f363a0096cb12a536
SHA512:	cafaa29ead2294cfdd2b63912b6dcabd3853fa2d691065b3f398d689f06931df3ad72f9f4a2c7ebbb9e53b7b77b318489ff6b9785129fdbac576bc835bf5fcdc
SSDEEP:	786432:b4ztbf6AoshmMYKXPrhcY32uoS59BVT8KoYcIxuhs7lekMqT0:b4pbSTS7YK/WY3tJ5jhrVxuhsZek
TLSH:	F397332675C7C221D19C007BF964FE5E4176AE23433101E7B2F9B8BA94B5CC2A678B53
File Content Preview:	........................>.......................................................G.......c.......p..............................................................................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 18, 2024 12:32:27.551683903 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:32:27.556698084 CEST	80	49715	50.116.112.138	192.168.2.6
Sep 18, 2024 12:32:27.556780100 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:32:27.556982040 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:32:27.561822891 CEST	80	49715	50.116.112.138	192.168.2.6
Sep 18, 2024 12:32:28.265796900 CEST	80	49715	50.116.112.138	192.168.2.6
Sep 18, 2024 12:32:28.265872955 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:32:33.266946077 CEST	80	49715	50.116.112.138	192.168.2.6
Sep 18, 2024 12:32:33.267091990 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:34:17.156080008 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:34:17.476052999 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:34:18.163523912 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:34:19.366631985 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:34:21.772963047 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:34:26.663595915 CEST	49715	80	192.168.2.6	50.116.112.138
Sep 18, 2024 12:34:36.366652966 CEST	49715	80	192.168.2.6	50.116.112.138

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 18, 2024 12:32:27.182374954 CEST	57622	53	192.168.2.6	1.1.1.1
Sep 18, 2024 12:32:27.502116919 CEST	53	57622	1.1.1.1	192.168.2.6

Timestamp	Bytes transferred	Direction	Data
Sep 18, 2024 12:32:27.556982040 CEST	102	OUT	GET /dddd/inspecionando.php HTTP/1.1 Host: www.rodovalhoadvogados.com.br Cache-Control: no-cache
Sep 18, 2024 12:32:28.265796900 CEST	169	IN	HTTP/1.1 200 OK Date: Wed, 18 Sep 2024 10:32:27 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade Content-Length: 0 Content-Type: text/html; charset=UTF-8

Target ID:	0
Start time:	06:32:02
Start date:	18/09/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\IRPF2024-0940959038w904598304w985036.msi"
Imagebase:	0x7ff698f90000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	06:32:04
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 5B841E4EC1525DEC8E125CA4E79284A2
Imagebase:	0x880000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	06:32:07
Start date:	18/09/2024
Path:	C:\Users\user\Contacts\Flexpcis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Contacts\Flexpcis.exe"
Imagebase:	0x110000
File size:	138'520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs Detection: 0%, Virustotal, Browse
Reputation:	low
Has exited:	false

Target ID:	6
Start time:	06:32:18
Start date:	18/09/2024
Path:	C:\Users\user\Contacts\Flexpcis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Contacts\Flexpcis.exe"
Imagebase:	0x110000
File size:	138'520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	9
Start time:	06:32:27
Start date:	18/09/2024
Path:	C:\Users\user\Contacts\Flexpcis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Contacts\Flexpcis.exe"
Imagebase:	0x110000
File size:	138'520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	11
Start time:	06:32:37
Start date:	18/09/2024
Path:	C:\Users\user\Contacts\Flexpcis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Contacts\Flexpcis.exe"
Imagebase:	0x110000
File size:	138'520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	06:32:49
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 628
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	15
Start time:	06:32:52
Start date:	18/09/2024
Path:	C:\Users\user\Contacts\Flexpcis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Contacts\Flexpcis.exe"
Imagebase:	0x110000
File size:	138'520 bytes
MD5 hash:	E04F15D35A1807C4D74D2538D5FE28C9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	17
Start time:	06:32:58
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 628
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	21
Start time:	06:33:02
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 724
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	23
Start time:	06:33:09
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 628
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	06:33:16
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 624
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	06:33:18
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 1004
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	30
Start time:	06:35:58
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 628
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IRPF2024-0940959038w904598304w985036.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\3c086a.rbs

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Flexpcis.exe_ac4eb928f71a1238ac277513c9446589b80efc4_10d4e3e1_4445af09-0b96-4657-937e-3716b5d9cb35\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Flexpcis.exe_ac4eb928f71a1238ac277513c9446589b80efc4_10d4e3e1_b85dc046-0db7-4a6d-a980-f7495a372184\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Flexpcis.exe_ac4eb928f71a1238ac277513c9446589b80efc4_10d4e3e1_e78915f5-aa93-4fad-82fd-884065e182d9\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Flexpcis.exe_ac4eb928f71a1238ac277513c9446589b80efc4_10d4e3e1_e8cefdc1-d6bf-40ae-a7d0-50cf71a27795\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Flexpcis.exe_e87c0a2afe35b309f14a3a7c9edd366c81c413_10d4e3e1_06495a97-ff68-4d31-89ea-66637693f022\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Flexpcis.exe_e87c0a2afe35b309f14a3a7c9edd366c81c413_10d4e3e1_892afd6e-3d10-419b-9842-cef2a2414149\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Flexpcis.exe_e87c0a2afe35b309f14a3a7c9edd366c81c413_10d4e3e1_b4825b46-7409-459a-9772-542b33cc2059\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Flexpcis.exe_e87c0a2afe35b309f14a3a7c9edd366c81c413_10d4e3e1_b916971a-da99-4f41-82bc-2f6d10279bb3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2988.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AA2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AE1.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3271.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER339B.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33CB.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2C5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5A4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5C5.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB41.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERABEE.tmp.WERInternalMetadata.xml

Windows Analysis Report
IRPF2024-0940959038w904598304w985036.msi

Target ID:	32
Start time:	06:36:00
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 628
Imagebase:	0x30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.9%
Total number of Nodes:	1987
Total number of Limit Nodes:	24

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre