Windows Analysis Report
setup.exe

Overview

General Information

Sample name: setup.exe
Analysis ID: 1544057
MD5: 8aca54559265d2a9ad0a810c425c644f
SHA1: 39d22f9333c9682bb860cf644d66996f7a641666
SHA256: af11a10ef1964b801f070d073cf89f3b4e6eecab2943af9cb011151df65ecfd2
Infos:

Detection

Score: 81
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 49
Range: 0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected MalDoc
Yara detected Powershell download and execute
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Drops executables to the windows directory (C:\Windows) and starts them
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Chromium Browser Instance Executed With Custom Extension
Sigma detected: Suspicious Script Execution From Temp Folder
Uses cmd line tools excessively to alter registry or file data
Adds / modifies Windows certificates
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a Chrome extension
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Always Install Elevated MSI Spawned Cmd And Powershell
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Chromium Browser Instance Executed With Custom Extension
Sigma detected: Suspicious MsiExec Embedding Parent
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: setup.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: setup.exe ReversingLabs: Detection: 41%

Compliance
barindex
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Chromstera Browser 1.0.0.0 Jump to behavior
Source: setup.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 104.21.8.139:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.4:59273 version: TLS 1.2
Source: setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: wininet.pdb source: setup.exe, 00000000.00000003.1719958497.0000000005251000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000003.1746421738.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, shi3105.tmp.0.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbR source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: setup.exe, MSIEC26.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: n.pdb" source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 31bf3856ad364e35corlib.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E2D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: ChromsteraUpdater.exe, 00000008.00000000.1793999764.00000000001A8000.00000002.00000001.01000000.0000000C.sdmp, ChromsteraUpdater.exe, 00000008.00000002.1810635597.00000000001A8000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbR source: powershell.exe, 00000006.00000002.1833673011.000002526E2D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbC source: setup.exe, MSI4739.tmp.1.dr, MSIFB77.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbfi source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000006.00000002.1831930535.000002526E104000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: setup.exe, Chromnius-Main.msi.0.dr
Source: Binary string: on.pdb source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089q8 source: powershell.exe, 00000006.00000002.1831930535.000002526E104000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1829332042.000002526C18F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.exe, MSI3250.tmp.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \Sre.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb89+&| source: powershell.exe, 00000006.00000002.1831930535.000002526E104000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.exe
Source: Binary string: System.Management.Automation.pdblb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb source: setup.exe, MSICC66.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.exe, MSIEC26.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdblat* source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb[ source: powershell.exe, 00000006.00000002.1831930535.000002526E129000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbd50a source: powershell.exe, 00000006.00000002.1831930535.000002526E129000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E313000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb) source: setup.exe, MSI35A6.tmp.0.dr, tempFiles.dll.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: setup.exe, MSI4739.tmp.1.dr, MSIFB77.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb'iM source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbtionmw source: powershell.exe, 00000006.00000002.1831930535.000002526E129000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000006.00000002.1829332042.000002526C18F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wininet.pdbUGP source: setup.exe, 00000000.00000003.1719958497.0000000005251000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000003.1746421738.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, shi3105.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.exe, MSI3250.tmp.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: setup.exe, lzmaextractor.dll.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.exe, MSI3193.tmp.0.dr, MSICBB9.tmp.1.dr, MSICA7D.tmp.1.dr, MSI331F.tmp.0.dr, MSI35E5.tmp.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb source: setup.exe, MSI35A6.tmp.0.dr, tempFiles.dll.0.dr, Chromnius-Main.msi.0.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Users\user\Desktop\setup.exe File opened: z: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: x: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: v: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: t: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: r: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: p: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: n: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: l: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: j: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: h: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: f: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: b: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: y: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: w: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: u: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: s: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: q: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: o: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: m: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: k: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: i: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: g: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: c:
Source: C:\Users\user\Desktop\setup.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCBDA0 FindFirstFileW,GetLastError,FindClose, 0_2_00CCBDA0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC2290 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_00BC2290
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCB3A0 _wcsrchr,_wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr, 0_2_00CCB3A0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCB7D0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00CCB7D0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000DEAA0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose, 8_2_000DEAA0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00184E5C FindFirstFileExW,FindNextFileW,FindClose,FindClose, 8_2_00184E5C

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49734 -> 104.21.8.139:443
Yara detected MalDoc
Source: Yara match File source: C:\Windows\Installer\6bc77d.msi, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Chromstera Solutions\Chromstera Browser 1.0.0.0\install\Chromnius-Main.msi, type: DROPPED
Detected non-DNS traffic on DNS port
Source: global traffic TCP traffic: 192.168.2.4:59151 -> 1.1.1.1:53
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /cross/crx3dynamic/?adv=426&v=4.4&time=1730139128 HTTP/1.1Host: secure.chromstera.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 151.101.130.133
Source: unknown TCP traffic detected without corresponding DNS query: 151.101.194.133
Source: unknown TCP traffic detected without corresponding DNS query: 151.101.130.133
Source: unknown TCP traffic detected without corresponding DNS query: 151.101.194.133
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: global traffic HTTP traffic detected: GET /cross/crx3dynamic/?adv=426&v=4.4&time=1730139128 HTTP/1.1Host: secure.chromstera.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download/updates.txt HTTP/1.1Accept: */*User-Agent: AdvancedInstallerHost: chromsteraupdates.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=pUkVGK2e4kgEmE9&MD=mNzcmBgT HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=pUkVGK2e4kgEmE9&MD=mNzcmBgT HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/arbitration_priority_list/4.0.5/asset?assetgroup=ArbitrationService HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ArbitrationServiceSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1730743968&P2=404&P3=2&P4=Wrd8ru3elfd9jwwVA5G6RHmd6vG5sKYlGMT5c86MTidAQ0tDgfnQ9YY1PzzS5qN6OVHCl6NdqNQitO2C6oK2CQ%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: JN3t9tLnHvPwoNcvg4GThUSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule230171v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230172v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230173v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230174v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120119v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704101v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704100v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704201v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704200v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704151v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704150v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule226009v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: setup.exe, 00000000.00000002.2949283112.0000000000E0C000.00000002.00000001.01000000.00000003.sdmp, setup.exe, 00000000.00000000.1694822221.0000000000E0C000.00000002.00000001.01000000.00000003.sdmp, setup.exe, 00000003.00000002.2948103378.0000000000E0C000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: FlashWindowExFlashWindowGetPackagePathhttp://www.google.comTESTtin9999.tmphttp://www.yahoo.comhttp://www.example.com.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: setup.exe String found in binary or memory: VFlashWindowExFlashWindowGetPackagePathhttp://www.google.comTESTtin9999.tmphttp://www.yahoo.comhttp://www.example.com.part= "GETattachmentDLD123filenamecharsetutf-16ISO-8859-1POSTutf-8Local Network ServerFTP ServerUS-ASCIIAdvancedInstallerRange: bytes=%u- equals www.yahoo.com (Yahoo)
Source: setup.exe String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: chromsterabrowser.com
Source: global traffic DNS traffic detected: DNS query: secure.chromstera.com
Source: global traffic DNS traffic detected: DNS query: chromsteraupdates.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: unknown HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 28 Oct 2024 18:11:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeReferrer-Policy: no-referrercf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y4g0jurbb%2FylK2vxdGNtVOvYJ6WuYmHIJDz157KP1iuDbj2hgY2dNAcVG1v85MCCMcU0hYATOIB9I3tzplk3I1Dg4PmrjZncSKwOyB6wlxUdmw34FPOLlgKRlbM8Xx1WKD%2BUSuEFMME%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d9ce38bffc5e96a-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1643&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=733&delivery_rate=1698533&cwnd=248&unsent_bytes=0&cid=2453cd3faa7abb50&ts=320&x=0"
Source: shi3105.tmp.0.dr String found in binary or memory: http://.css
Source: shi3105.tmp.0.dr String found in binary or memory: http://.jpg
Source: setup.exe, 00000000.00000002.2952389573.0000000005B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.cX
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: setup.exe, 00000003.00000002.2950850440.0000000004256000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTruste
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: svchost.exe, 0000001B.00000002.2953061527.00000278DA400000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.coT
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: setup.exe, 00000003.00000002.2949076148.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: setup.exe, 00000000.00000002.2947792142.000000000084A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: setup.exe, 00000003.00000002.2949076148.0000000001418000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab(
Source: setup.exe, 00000000.00000003.1716107883.0000000003C34000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9fe3082f81c28
Source: setup.exe, 00000000.00000002.2947792142.0000000000899000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en_
Source: svchost.exe, 0000001B.00000002.2953199591.00000278DA484000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/
Source: svchost.exe, 0000001B.00000002.2953199591.00000278DA484000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/.exe
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA268000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA268000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: qmgr.db.27.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.27.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA268000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA268000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA29D000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 0000001B.00000002.2953199591.00000278DA461000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2953324273.00000278DA4D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0/go
Source: svchost.exe, 0000001B.00000002.2953199591.00000278DA484000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com/l
Source: svchost.exe, 0000001B.00000002.2953104557.00000278DA42D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com:80/edgedl/release2/chrome_component/e6xlmsu5i2bokri3w4cyuhv4nq_2024.8.10.0
Source: svchost.exe, 0000001B.00000002.2953199591.00000278DA461000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://edgedl.me.gvt1.com:80I
Source: qmgr.db.27.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: shi3105.tmp.0.dr String found in binary or memory: http://html4/loose.dtd
Source: powershell.exe, 00000006.00000002.1826666135.0000025210075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1826666135.00000252101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1922851954.00000248902B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1922851954.00000248903F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2048653111.000001BA10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2048653111.000001BA101B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: setup.exe, 00000000.00000002.2952389573.0000000005B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr60;
Source: powershell.exe, 0000000E.00000002.1956633566.000001BA00233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.1813013819.0000025200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1860654492.0000024880241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1956633566.000001BA00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.1813013819.0000025201B3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://secure.chromstera.com
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt06
Source: powershell.exe, 0000000E.00000002.1956633566.000001BA00233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: setup.exe String found in binary or memory: http://www.google.com
Source: setup.exe String found in binary or memory: http://www.yahoo.com
Source: powershell.exe, 00000006.00000002.1813013819.0000025200001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1860654492.0000024880241000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1956633566.000001BA00001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: ChromsteraUpdater.exe, 00000008.00000002.1810981504.00000000005E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000003.1741315776.0000000004162000.00000004.00000020.00020000.00000000.sdmp, ChromsteraUpdater.exe, 00000008.00000003.1798424714.00000000026C0000.00000004.00000800.00020000.00000000.sdmp, ChromsteraUpdater.exe, 00000008.00000002.1810981504.0000000000636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txt
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txt$T
Source: setup.exe, 00000003.00000003.1746081224.0000000005133000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txt8
Source: setup.exe, 00000000.00000003.1699493565.00000000008B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txtAI_NEWERPRODUCTFOUND
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txtDS
Source: setup.exe, 00000000.00000003.2315981321.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2951194145.0000000003C75000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2317680666.0000000003C73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txtN
Source: ChromsteraUpdater.exe, 00000008.00000002.1810981504.00000000005E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txtater.
Source: setup.exe, 00000000.00000003.1719360172.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1719465037.00000000062DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txtr
Source: setup.exe, 00000003.00000002.2952383643.0000000005110000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsterabrowser.com/download/updates.txtromstera
Source: ChromsteraUpdater.exe, 00000008.00000002.1810981504.000000000064D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsteraupdates.com/
Source: ChromsteraUpdater.exe, 00000008.00000002.1810981504.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, ChromsteraUpdater.exe, 00000008.00000002.1810981504.0000000000636000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsteraupdates.com/download/updates.txt
Source: setup.exe, 00000003.00000003.1741315776.0000000004162000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsteraupdates.com/download/updates.txtB3
Source: setup.exe, 00000000.00000003.1699493565.00000000008B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsteraupdates.com/download/updates.txtCheckFrequencyDownloads
Source: setup.exe, 00000000.00000002.2950690414.0000000003C10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsteraupdates.com/download/updates.txtY0
Source: ChromsteraUpdater.exe, 00000008.00000002.1810981504.00000000005E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsteraupdates.com/download/updates.txtl
Source: setup.exe, 00000000.00000003.1699659793.0000000000909000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1699730264.000000000092C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1699769061.0000000000937000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://chromsteraupdates.com/download/updates.txttd
Source: powershell.exe, 0000000E.00000002.2048653111.000001BA101B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000E.00000002.2048653111.000001BA101B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000E.00000002.2048653111.000001BA101B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA312000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA36A000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA312000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA2F3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.2096112587.00000278DA344000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.2096112587.00000278DA312000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.2096112587.00000278DA338000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000001B.00000003.2096112587.00000278DA357000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: powershell.exe, 0000000E.00000002.1956633566.000001BA00233000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000006.00000002.1813013819.0000025200C33000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1860654492.0000024880E74000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1956633566.000001BA00C33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000A.00000002.1929021569.00000248983C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://go.microsoft.co
Source: powershell.exe, 00000006.00000002.1826666135.0000025210075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1826666135.00000252101B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1922851954.00000248902B5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1922851954.00000248903F8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2048653111.000001BA10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2048653111.000001BA101B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA312000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.27.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 0000001B.00000003.2096112587.00000278DA2C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.c
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.chromstera.com
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp, setup.exe, Chromnius-Main.msi.0.dr String found in binary or memory: https://secure.chromstera.com/cross/crx3dynamic
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.chromstera.com/cross/crx3dynamic/?adv=
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.chromstera.com/cross/crx3dynamic/?adv=426
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.chromstera.com/cross/crx3dynamic/?adv=426&v=
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.chromstera.com/cross/crx3dynamic/?adv=426&v=4.4
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.chromstera.com/cross/crx3dynamic/?adv=426&v=4.4&time=
Source: powershell.exe, 00000006.00000002.1813013819.0000025201A0B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.chromstera.com/cross/crx3dynamic/?adv=426&v=4.4&time=1730139128
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000002.2952383643.0000000005110000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000002.2949076148.00000000013CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.com
Source: setup.exe, Chromnius-Main.msi.0.dr String found in binary or memory: https://www.chromstera.com/installer/
Source: setup.exe, Chromnius-Main.msi.0.dr String found in binary or memory: https://www.chromstera.comARPSYSTEMCOMPONENTARPURLINFOABOUTARPURLUPDATEINFOExtractFilesFirstWindowsT
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.comM
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.comT
Source: setup.exe, 00000000.00000003.1719741857.0000000003CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.comY
Source: setup.exe, 00000000.00000003.2315731246.00000000062E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.combmp
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.comh
Source: setup.exe, 00000003.00000002.2950850440.0000000004160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.commu
Source: setup.exe, 00000000.00000003.2315731246.00000000062E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.compl
Source: setup.exe, 00000000.00000002.2952714019.000000000628A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.comrT/
Source: setup.exe, 00000000.00000002.2952714019.000000000628A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.chromstera.comz
Source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 59265 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 59162 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59185 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59288 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59308
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59304
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59307
Source: unknown Network traffic detected: HTTP traffic on port 59207 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59306
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59312
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59311
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59310
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59202
Source: unknown Network traffic detected: HTTP traffic on port 59253 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59204
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59203
Source: unknown Network traffic detected: HTTP traffic on port 59299 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59310 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59200
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 59219 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59209
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59206
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59205
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59208
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59207
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59213
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59212
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59215
Source: unknown Network traffic detected: HTTP traffic on port 59197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59214
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59211
Source: unknown Network traffic detected: HTTP traffic on port 59311 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59210
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 59231 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59287 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59163 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59217
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59216
Source: unknown Network traffic detected: HTTP traffic on port 59220 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59206 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59219
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59218
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59224
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59223
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59226
Source: unknown Network traffic detected: HTTP traffic on port 59276 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59225
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59220
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59222
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59221
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 59290 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 59161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 59289 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59205 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59278 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 59232 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 59221 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59244 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59277 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 59216 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 59266 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 59184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59301
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59300
Source: unknown Network traffic detected: HTTP traffic on port 59255 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59303
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59302
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59227 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59158
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59279
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59157
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59278
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59159
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59154
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59275
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59274
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59277
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59155
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59276
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59271
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59270
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59152
Source: unknown Network traffic detected: HTTP traffic on port 59210 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59273
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59272
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59239 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59159 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59285 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59168
Source: unknown Network traffic detected: HTTP traffic on port 59171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59289
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59286
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59285
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59288
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59166
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59287
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59161
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59282
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59160
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59281
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59163
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59284
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59162
Source: unknown Network traffic detected: HTTP traffic on port 59274 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59283
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59280
Source: unknown Network traffic detected: HTTP traffic on port 59160 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59209 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59179
Source: unknown Network traffic detected: HTTP traffic on port 59228 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59297
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59296
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59299
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59298
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59293
Source: unknown Network traffic detected: HTTP traffic on port 59296 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59292
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59295
Source: unknown Network traffic detected: HTTP traffic on port 59273 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59294
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59291
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59290
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 59302 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 59262 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59186
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59189
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59188
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59183
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59185
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59184
Source: unknown Network traffic detected: HTTP traffic on port 59251 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59181
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 59217 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59228
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59227
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59229
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59235
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59234
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59237
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59236
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59231
Source: unknown Network traffic detected: HTTP traffic on port 59275 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59230
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59232
Source: unknown Network traffic detected: HTTP traffic on port 59298 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59252 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59264 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59300 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59239
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59238
Source: unknown Network traffic detected: HTTP traffic on port 59208 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59246
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59229 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59245
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59248
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59247
Source: unknown Network traffic detected: HTTP traffic on port 59192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59241
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59244
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59243
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59240
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59158 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59301 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59263 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59249
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59257
Source: unknown Network traffic detected: HTTP traffic on port 59170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59256
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59259
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59258
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59253
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59252
Source: unknown Network traffic detected: HTTP traffic on port 59193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59255
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59251
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59250
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59218 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59268
Source: unknown Network traffic detected: HTTP traffic on port 59230 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59267
Source: unknown Network traffic detected: HTTP traffic on port 59312 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59269
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59264
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59263
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59266
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59265
Source: unknown Network traffic detected: HTTP traffic on port 59297 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59260
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59262
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59261
Source: unknown Network traffic detected: HTTP traffic on port 59179 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59294 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59271 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59304 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59247 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59260 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59236 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59248 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59282 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59225 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59212 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59293 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59157 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59259 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59303 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59284 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59261 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59197
Source: unknown Network traffic detected: HTTP traffic on port 59166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59199
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59194
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59193
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59195
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59237 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59192
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 59191
Source: unknown Network traffic detected: HTTP traffic on port 59155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59295 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59226 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59211 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59250 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59283 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59249 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59272 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59238 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59256 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59279 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59291 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59268 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59222 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59280 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59307 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59215 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59267 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 59154 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown HTTPS traffic detected: 104.21.8.139:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.253.45:443 -> 192.168.2.4:59273 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CAA220 SendMessageW,GetParent,GetParent,GetWindowRect,GetParent,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,MapWindowPoints,FillRect,DeleteDC,SendMessageW,SendMessageW,SendMessageW, 0_2_00CAA220
Contains functionality to call native functions
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00C889F0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W, 0_2_00C889F0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC00C0 IsWindow,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00BC00C0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BB9360 NtdllDefWindowProc_W, 0_2_00BB9360
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC9430 NtdllDefWindowProc_W, 0_2_00BC9430
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BB6670 SysFreeString,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 0_2_00BB6670
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00C177A0 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00C177A0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00C689B0 NtdllDefWindowProc_W, 0_2_00C689B0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BB9920 NtdllDefWindowProc_W, 0_2_00BB9920
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BB6CD0 NtdllDefWindowProc_W, 0_2_00BB6CD0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BB8C40 GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DestroyWindow, 0_2_00BB8C40
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC3E40 KillTimer,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,DeleteCriticalSection, 0_2_00BC3E40
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BD6FE0 NtdllDefWindowProc_W, 0_2_00BD6FE0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BB5F50 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,NtdllDefWindowProc_W,GetWindowLongW,GetWindowTextLengthW,GetWindowTextW,SetWindowTextW,GlobalAlloc,GlobalLock,GlobalUnlock,SetWindowLongW,NtdllDefWindowProc_W, 0_2_00BB5F50
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BBFF50 NtdllDefWindowProc_W, 0_2_00BBFF50
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00C889F0 GetSystemDirectoryW,LoadLibraryExW,NtdllDefWindowProc_W, 3_2_00C889F0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BB60E5 NtdllDefWindowProc_W, 3_2_00BB60E5
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BC00C0 NtdllDefWindowProc_W, 3_2_00BC00C0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BB9360 NtdllDefWindowProc_W, 3_2_00BB9360
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BC9430 NtdllDefWindowProc_W, 3_2_00BC9430
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BB6670 SysFreeString,NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,SysFreeString,NtdllDefWindowProc_W,SysFreeString, 3_2_00BB6670
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00C177A0 NtdllDefWindowProc_W, 3_2_00C177A0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00C689B0 NtdllDefWindowProc_W, 3_2_00C689B0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BB9920 NtdllDefWindowProc_W, 3_2_00BB9920
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BB6CD0 NtdllDefWindowProc_W, 3_2_00BB6CD0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BB8C40 NtdllDefWindowProc_W, 3_2_00BB8C40
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BC3E40 NtdllDefWindowProc_W,DeleteCriticalSection, 3_2_00BC3E40
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BB5FA7 NtdllDefWindowProc_W,GlobalAlloc,GlobalLock,GlobalUnlock,NtdllDefWindowProc_W, 3_2_00BB5FA7
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BD6FE0 NtdllDefWindowProc_W, 3_2_00BD6FE0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BBFF50 NtdllDefWindowProc_W, 3_2_00BBFF50
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\6bc77d.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC933.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC9EF.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA7D.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICAEB.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICB79.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICBB9.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{441BEFA6-D7B1-4C8C-8CF9-5A4D6215E43D} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICC46.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICC66.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID04F.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID11C.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIEC26.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI11D0.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4739.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFB77.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\msiD25B.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\scrD25C.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\scrD25D.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\scrD25C.ps1 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\scrD25D.txt Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\msiD25B.txt Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\pssD27D.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\pssD27E.tmp Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Windows\SystemTemp\ProD28F.tmp Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSIC933.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CD3DC0 0_2_00CD3DC0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D260D0 0_2_00D260D0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BA3000 0_2_00BA3000
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00DA3174 0_2_00DA3174
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC2290 0_2_00BC2290
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D9830B 0_2_00D9830B
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BCF410 0_2_00BCF410
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC0500 0_2_00BC0500
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BD8630 0_2_00BD8630
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BA7620 0_2_00BA7620
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BD9710 0_2_00BD9710
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BCA820 0_2_00BCA820
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CAA9B0 0_2_00CAA9B0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D8891C 0_2_00D8891C
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC9AD0 0_2_00BC9AD0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BDCBB0 0_2_00BDCBB0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BA5C82 0_2_00BA5C82
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BD0C80 0_2_00BD0C80
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC5CE0 0_2_00BC5CE0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CD1C40 0_2_00CD1C40
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00C1ADE0 0_2_00C1ADE0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D9CD89 0_2_00D9CD89
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BCCE41 0_2_00BCCE41
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC9FF0 0_2_00BC9FF0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D8FF60 0_2_00D8FF60
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D260D0 3_2_00D260D0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BA3000 3_2_00BA3000
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BCF410 3_2_00BCF410
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BC0500 3_2_00BC0500
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BD8630 3_2_00BD8630
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BA7620 3_2_00BA7620
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BD9710 3_2_00BD9710
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BCA820 3_2_00BCA820
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00CAA9B0 3_2_00CAA9B0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BC9AD0 3_2_00BC9AD0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BDCBB0 3_2_00BDCBB0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BA5C82 3_2_00BA5C82
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BD0C80 3_2_00BD0C80
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BC5CE0 3_2_00BC5CE0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00C1ADE0 3_2_00C1ADE0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D9CD89 3_2_00D9CD89
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BCCE41 3_2_00BCCE41
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BC9FF0 3_2_00BC9FF0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0010E060 8_2_0010E060
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0010EF20 8_2_0010EF20
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0014D3B0 8_2_0014D3B0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0012B6E0 8_2_0012B6E0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0012BA80 8_2_0012BA80
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00176020 8_2_00176020
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00132060 8_2_00132060
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0017406E 8_2_0017406E
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0017010E 8_2_0017010E
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00178158 8_2_00178158
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_001304D0 8_2_001304D0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00136580 8_2_00136580
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00108820 8_2_00108820
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00188AF7 8_2_00188AF7
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000FCBD0 8_2_000FCBD0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00106E10 8_2_00106E10
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0016B010 8_2_0016B010
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0011D0B0 8_2_0011D0B0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0013D2E0 8_2_0013D2E0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000DF340 8_2_000DF340
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000EB3C0 8_2_000EB3C0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000F7470 8_2_000F7470
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_001834A9 8_2_001834A9
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0017D4DA 8_2_0017D4DA
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000E3AD0 8_2_000E3AD0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000DFD30 8_2_000DFD30
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000E3D30 8_2_000E3D30
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0018DD70 8_2_0018DD70
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0016FD80 8_2_0016FD80
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00181EE7 8_2_00181EE7
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0011BF20 8_2_0011BF20
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C096D60 16_2_00007FF77C096D60
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0EC518 16_2_00007FF77C0EC518
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D0D64 16_2_00007FF77C0D0D64
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0BF558 16_2_00007FF77C0BF558
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0DBDCC 16_2_00007FF77C0DBDCC
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0965F0 16_2_00007FF77C0965F0
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D75E0 16_2_00007FF77C0D75E0
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0E3644 16_2_00007FF77C0E3644
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0E0EB4 16_2_00007FF77C0E0EB4
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C06A0 16_2_00007FF77C0C06A0
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D56CC 16_2_00007FF77C0D56CC
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0B56F4 16_2_00007FF77C0B56F4
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0A7EE8 16_2_00007FF77C0A7EE8
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C3714 16_2_00007FF77C0C3714
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0E5704 16_2_00007FF77C0E5704
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C097F30 16_2_00007FF77C097F30
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0AA734 16_2_00007FF77C0AA734
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D0F50 16_2_00007FF77C0D0F50
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0A2768 16_2_00007FF77C0A2768
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C6F8C 16_2_00007FF77C0C6F8C
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C09CFD0 16_2_00007FF77C09CFD0
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0E2FC4 16_2_00007FF77C0E2FC4
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D1FB8 16_2_00007FF77C0D1FB8
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D2FE4 16_2_00007FF77C0D2FE4
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0E5FDC 16_2_00007FF77C0E5FDC
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0B9888 16_2_00007FF77C0B9888
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0A68B0 16_2_00007FF77C0A68B0
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0B809C 16_2_00007FF77C0B809C
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C60BC 16_2_00007FF77C0C60BC
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0E00EC 16_2_00007FF77C0E00EC
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D90F8 16_2_00007FF77C0D90F8
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C514C 16_2_00007FF77C0C514C
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D1138 16_2_00007FF77C0D1138
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0DA964 16_2_00007FF77C0DA964
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0AA15C 16_2_00007FF77C0AA15C
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C4980 16_2_00007FF77C0C4980
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0A59A8 16_2_00007FF77C0A59A8
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D51D4 16_2_00007FF77C0D51D4
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0A49BC 16_2_00007FF77C0A49BC
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0BD1E8 16_2_00007FF77C0BD1E8
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0A3A20 16_2_00007FF77C0A3A20
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0AEA4C 16_2_00007FF77C0AEA4C
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0DBA94 16_2_00007FF77C0DBA94
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0AFAD0 16_2_00007FF77C0AFAD0
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0E2B14 16_2_00007FF77C0E2B14
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0B4314 16_2_00007FF77C0B4314
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D1324 16_2_00007FF77C0D1324
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0B0B54 16_2_00007FF77C0B0B54
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D0B7C 16_2_00007FF77C0D0B7C
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0B33A4 16_2_00007FF77C0B33A4
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0B73F4 16_2_00007FF77C0B73F4
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0A9BF4 16_2_00007FF77C0A9BF4
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0BC3DC 16_2_00007FF77C0BC3DC
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C1C48 16_2_00007FF77C0C1C48
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0AA438 16_2_00007FF77C0AA438
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0B1C38 16_2_00007FF77C0B1C38
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0E5488 16_2_00007FF77C0E5488
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0BDC80 16_2_00007FF77C0BDC80
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C095CA0 16_2_00007FF77C095CA0
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0D150C 16_2_00007FF77C0D150C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4756D60 54_2_00007FF7A4756D60
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A479BDCC 54_2_00007FF7A479BDCC
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47975E0 54_2_00007FF7A47975E0
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47565F0 54_2_00007FF7A47565F0
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47AC518 54_2_00007FF7A47AC518
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4790D64 54_2_00007FF7A4790D64
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A477F558 54_2_00007FF7A477F558
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47806A0 54_2_00007FF7A47806A0
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47A0EB4 54_2_00007FF7A47A0EB4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47956CC 54_2_00007FF7A47956CC
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4767EE8 54_2_00007FF7A4767EE8
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47756F4 54_2_00007FF7A47756F4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47A5704 54_2_00007FF7A47A5704
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4783714 54_2_00007FF7A4783714
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47A3644 54_2_00007FF7A47A3644
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47A2FC4 54_2_00007FF7A47A2FC4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4791FB8 54_2_00007FF7A4791FB8
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A475CFD0 54_2_00007FF7A475CFD0
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4792FE4 54_2_00007FF7A4792FE4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47A5FDC 54_2_00007FF7A47A5FDC
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A476A734 54_2_00007FF7A476A734
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4757F30 54_2_00007FF7A4757F30
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4790F50 54_2_00007FF7A4790F50
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4762768 54_2_00007FF7A4762768
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4786F8C 54_2_00007FF7A4786F8C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A477809C 54_2_00007FF7A477809C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47668B0 54_2_00007FF7A47668B0
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47860BC 54_2_00007FF7A47860BC
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47A00EC 54_2_00007FF7A47A00EC
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47990F8 54_2_00007FF7A47990F8
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4779888 54_2_00007FF7A4779888
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47659A8 54_2_00007FF7A47659A8
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47649BC 54_2_00007FF7A47649BC
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47951D4 54_2_00007FF7A47951D4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A477D1E8 54_2_00007FF7A477D1E8
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4791138 54_2_00007FF7A4791138
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A478514C 54_2_00007FF7A478514C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A476A15C 54_2_00007FF7A476A15C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A479A964 54_2_00007FF7A479A964
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4784980 54_2_00007FF7A4784980
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A476FAD0 54_2_00007FF7A476FAD0
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47A2B14 54_2_00007FF7A47A2B14
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4774314 54_2_00007FF7A4774314
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4763A20 54_2_00007FF7A4763A20
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A476EA4C 54_2_00007FF7A476EA4C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A479BA94 54_2_00007FF7A479BA94
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47733A4 54_2_00007FF7A47733A4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A477C3DC 54_2_00007FF7A477C3DC
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47773F4 54_2_00007FF7A47773F4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4769BF4 54_2_00007FF7A4769BF4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4791324 54_2_00007FF7A4791324
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4770B54 54_2_00007FF7A4770B54
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4790B7C 54_2_00007FF7A4790B7C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4755CA0 54_2_00007FF7A4755CA0
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A479150C 54_2_00007FF7A479150C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A476A438 54_2_00007FF7A476A438
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4771C38 54_2_00007FF7A4771C38
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4781C48 54_2_00007FF7A4781C48
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A477DC80 54_2_00007FF7A477DC80
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A47A5488 54_2_00007FF7A47A5488
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00D7D791 appears 36 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00BA8DB0 appears 450 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00BA8300 appears 112 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00D80C10 appears 39 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00BA83A0 appears 60 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00D80118 appears 59 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00BAA830 appears 33 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00CC9050 appears 56 times
Source: C:\Users\user\Desktop\setup.exe Code function: String function: 00D99A1E appears 34 times
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: String function: 000D43D0 appears 31 times
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: String function: 000D3470 appears 180 times
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: String function: 000D2420 appears 160 times
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: String function: 00168350 appears 57 times
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: String function: 00167FE3 appears 96 times
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: String function: 000D35E0 appears 194 times
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: String function: 000D8750 appears 36 times
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: String function: 00168016 appears 67 times
Sample file is different than original file name gathered from version info
Source: setup.exe, 00000000.00000003.1719958497.0000000005251000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs setup.exe
Source: setup.exe, 00000000.00000002.2952945604.0000000006B17000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.exe
Source: setup.exe, 00000000.00000002.2952945604.0000000006B17000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameaischeduler.dllF vs setup.exe
Source: setup.exe, 00000000.00000002.2952945604.0000000006B17000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs setup.exe
Source: setup.exe, 00000000.00000002.2952945604.0000000006B17000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.exe
Source: setup.exe, 00000000.00000002.2952945604.00000000067F0000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameviewer.exeF vs setup.exe
Source: setup.exe, 00000000.00000002.2952945604.00000000067F0000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameMsiTempFiles.dllF vs setup.exe
Source: setup.exe, 00000000.00000002.2952945604.00000000067F0000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs setup.exe
Source: setup.exe, 00000000.00000002.2952945604.00000000067F0000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs setup.exe
Source: setup.exe, 00000000.00000002.2949640142.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameChromnius-Main.exeF vs setup.exe
Source: setup.exe, 00000000.00000002.2952714019.000000000628A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFileNameChromnius- vs setup.exe
Source: setup.exe, 00000003.00000002.2951398540.0000000004B90000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameviewer.exeF vs setup.exe
Source: setup.exe, 00000003.00000002.2951398540.0000000004B90000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameMsiTempFiles.dllF vs setup.exe
Source: setup.exe, 00000003.00000002.2951398540.0000000004B90000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenamelzmaextractor.dllF vs setup.exe
Source: setup.exe, 00000003.00000002.2951398540.0000000004B90000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameAICustAct.dllF vs setup.exe
Source: setup.exe, 00000003.00000002.2951398540.0000000004EB7000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.exe
Source: setup.exe, 00000003.00000002.2951398540.0000000004EB7000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenameaischeduler.dllF vs setup.exe
Source: setup.exe, 00000003.00000002.2951398540.0000000004EB7000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenamePrereq.dllF vs setup.exe
Source: setup.exe, 00000003.00000002.2951398540.0000000004EB7000.00000002.00000001.00040000.00000012.sdmp Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.exe
Source: setup.exe, 00000003.00000000.1739888347.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameChromnius-Main.exeF vs setup.exe
Source: setup.exe, 00000003.00000003.1746421738.00000000039F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewininet.dllD vs setup.exe
Source: setup.exe Binary or memory string: OriginalFileNameChromnius-Main.exeF vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenameviewer.exeF vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenameMsiTempFiles.dllF vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenamelzmaextractor.dllF vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenameAICustAct.dllF vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenameSoftwareDetector.dllF vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenameaischeduler.dllF vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenamePrereq.dllF vs setup.exe
Source: setup.exe Binary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs setup.exe
Uses 32bit PE files
Source: setup.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d /f
Source: shi3105.tmp.0.dr Binary string: \Device\NameResTrk\RecordNrtCloneOpenPacket
Source: classification engine Classification label: mal81.troj.evad.winEXE@150/138@11/5
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCEF90 FormatMessageW,GetLastError, 0_2_00CCEF90
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00147B20 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,QueryFullProcessImageNameW,CloseHandle,Process32NextW,CloseHandle,GetWindowThreadProcessId,GetWindowTextW,GetWindowLongW,GetWindowLongW,GetWindowLongW,GetWindowLongW, 8_2_00147B20
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D16E40 CoCreateInstance, 0_2_00D16E40
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BAA160 LoadResource,LockResource,SizeofResource, 0_2_00BAA160
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Chromstera Browser Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Roaming\Chromstera Solutions Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_03
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\shi3105.tmp Jump to behavior
Source: C:\Windows\Installer\MSI4739.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\chrome.bat" "
Source: setup.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: setup.exe ReversingLabs: Detection: 41%
Source: ChromsteraUpdater.exe String found in binary or memory: -startminimized
Source: ChromsteraUpdater.exe String found in binary or memory: /install
Source: ChromsteraUpdater.exe String found in binary or memory: -startappfirst
Source: ChromsteraUpdater.exe String found in binary or memory: -installready
Source: ChromsteraUpdater.exe String found in binary or memory: /installservice
Source: setup.exe String found in binary or memory: ComboBoxListBoxListViewINSERT INTO `` (`Property`, `Order`, `Value`, `Text`,`Binary_`) VALUES (?,?,?,?,?) TEMPORARY` (`Property`, `Order`, `Value`, `Text`) VALUES (?,?,?,?) TEMPORARYSELECT * FROM `%s` WHERE `Property`='%s' AND `Value`='%s'SELECT * FROM `%s` WHERE `Property`='%s'EditSELECT `Message` FROM `Error` WHERE `Error` = %sSELECT `Text` FROM `UIText` WHERE `Key` = '%s'tmpALLUSERS = 1ALLUSERS = 2MSIINSTALLPERUSER = 1AI_PACKAGE_TYPE = "x64"AI_PACKAGE_TYPE = "Intel64"SELECT * FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'SELECT `Attributes` FROM `Control` WHERE `Dialog_` = '%s' AND `Control` = '%s'$=3WS_BORDERWS_CAPTIONWS_CHILDWS_CHILDWINDOWWS_CLIPCHILDRENWS_CLIPSIBLINGSWS_DISABLEDWS_DLGFRAMEWS_GROUPWS_HSCROLLWS_ICONICWS_SIZEBOXWS_SYSMENUWS_TABSTOPWS_THICKFRAMEWS_VISIBLEWS_VSCROLLWS_MAXIMIZEBOXWS_MAXIMIZEWS_MINIMIZEBOXWS_MINIMIZEWS_OVERLAPPEDWINDOWWS_OVERLAPPEDWS_POPUPWINDOWWS_POPUPWS_TILEDWINDOWWS_TILEDWS_EX_ACCEPTFILESWS_EX_APPWINDOWWS_EX_CLIENTEDGEWS_EX_CONTEXTHELPWS_EX_CONTROLPARENTWS_EX_DLGMODALFRAMEWS_EX_LEFTWS_EX_LEFTSCROLLBARWS_EX_LTRREADINGWS_EX_MDICHILDWS_EX_NOPARENTNOTIFYWS_EX_OVERLAPPEDWINDOWWS_EX_PALETTEWINDOWWS_EX_RTLREADINGWS_EX_STATICEDGEWS_EX_TOOLWINDOWWS_EX_TOPMOSTWS_EX_TRANSPARENTWS_EX_WINDOWEDGEWS_EX_RIGHTSCROLLBARWS_EX_RIGHTWS_EX_LAYEREDWS_EX_NOACTIVATEWS_EX_NOINHERITLAYOUTWS_EX_LAYOUTRTLWS_EX_COMPOSITEDWS_EXAI_TRIAL_MESSAGE_BODYAI_MSM_TRIAL_MESSAGE_BODYAI_APP_FILEAI_README_FILEAI_APP_ARGSAI_RUN_AS_ADMINMsiLogFileLocation[ProgramFilesFolder][LocalAppDataFolder]Programs\[ProgramFiles64Folder][CommonFilesFolder][LocalAppDataFolder]Programs\Common\[CommonFiles64Folder][WindowsFolder][LocalAppDataFolder][SystemFolder][WindowsVolume][ProgramMenuFolder][DesktopFolder][StartupFolder][TemplateFolder][AdminToolsFolder][AI_UserProgramFiles][WindowsVolume]Program Files (x86)\[AI_ProgramFiles][WindowsVolume]Program Files\MIGRATEFindRelatedProductsMigrateFeatureStatesAI_SETMIXINSTLOCATIONAPPDIRAI_RESTORE_LOCATIONSELECT `ActionProperty` FROM `Upgrade`ActionTarget`Action`='SET_APPDIR' OR `Action`='SET_SHORTCUTDIR'CustomActionSET_APPDIRSET_SHORTCUTDIRSHORTCUTDIRProgramMenuFolderAI_SH_INITEDBrowseDlgCancelDlgDiskCostDlgExitDialogMsiRMFilesInUseOutOfDiskDlgOutOfRbDiskDlgDialog_Control_(`Control_` = 'Next' OR `Control_` = 'Install') AND `Event` = 'EndDialog' AND `Argument` = 'Return'ControlEventAI_INSTALLPERUSER = "0"ALLUSERSVersionMsi >= "5.0"2MSIINSTALLPERUSERAI_NEWINSTProductLanguageAI_INTANCE_LOCATIONAI_UPGRADENoLanguageVersionStringInstallLocationAI_REPLACE_PRODUCTSAI_Replaced_Versions_ListAI_Upgrade_Replace_Question_YesBackUp_AI_Upgrade_Question_YesAI_Upgrade_Question_YesAI_Upgrade_Replace_Question_NoBackUp_AI_Upgrade_Question_NoAI_Upgrade_Question_NoYesDELETE FROM `Shortcut` WHERE `Shortcut`.`Directory_`='%s'DELETE FROM `IniFile` WHERE `IniFile`.`Section`='InternetShortcut' AND`IniFile`.`DirProperty`='%s'SELECT * FROM `%s`ShortcutIniFileAI_DESKTOP_SH0AI_STARTMENU_SHAI_STARTUP_SHAI_SHORTCUTSREGNot InstalledDesktopFolderSta
Source: setup.exe String found in binary or memory: $domain = "https://www.chromstera.com/installer/";
Source: setup.exe String found in binary or memory: Stop-Process -Name 'chrome';AI_DeleteCadLzmaDeleteLZMAFilesProcessTasksExtractLZMAFilesAI_DeleteRCadLzmaAI_PRESERVE_INSTALL_TYPEPreserveInstallTypeOnDetectSoftwareUpdateInstallModeAI_EnableDebugLogEnableDebugLogAI_DpiContentScaleDpiContentScaleSET_TARGETDIR_TO_APPDIRLaunchExeWithDirectory"[TempFolder]\browser.data" --system-levelScheduleTasksAI_ExtractCadLzmaDoEventsExtractSourceFilesAI_FindExeLzmaFindEXEAI_PREPARE_UPGRADEPrepareUpgradeAI_RESTORE_LOCATIONRestoreLocationAI_RESTORE_AI_SETUPEXEPATH[AI_SETUPEXEPATH_ORIGINAL]RemoveAllTempFilesDeleteTasksLaunchLogFileAI_STORE_LOCATIONARPINSTALLLOCATIONAI_UPDATER_UNINSTALL/clean silentUninstallTasksChrome/EnforcedRunAsAdmin /RunAsAdmin /HideWindow /dir "[TempFolder]" "[AI_CHROME.BAT]"Edge/EnforcedRunAsAdmin /RunAsAdmin /HideWindow /dir "[TempFolder]" "[AI_EDGE.BAT]"AI_SET_PATCHSET_APPDIR[ProgramFilesFolder]\[ProductName]SET_SHORTCUTDIRSHORTCUTDIR[ProgramMenuFolder][ProductName]AI_CORRECT_INSTALL{}AI_ADMINAI_SET_MAINTDetectModernWindowsAI_DETECT_WINTHEMEDetectWindowsThemeAI_DATA_SETTER_8[AI_Init_WelcomeDlg][ProductName] [Setup]Installer InformationCertSourceDirAPPDIR:.TempFolderTEMPFO~1|TempFolderWindowsVolumeWINDOW~1|WindowsVolumeAPPS-H~1|apps-helper{{Fatal error: }}{{Error [1]. }}Invalid CRC checksum value for [2] file.{ Its header says [3] for checksum, its computed value is [4].}The file '[2]' cannot be installed because the file cannot be found in cabinet file '[3]'. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.Warning [1]. Bad foreign key ('[2]') in '[3]' column of the '[4]' table.The installer has insufficient privileges to access this directory: [2]. The installation cannot continue. Log on as administrator or contact your system administrator.Info [1]. Could not enumerate subfolders for folder: [2].Action not found: [2].The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is [1]. {{The arguments are: [2], [3], [4]}}You must restart your system for the configuration changes made to [2] to take effect. Click "Yes" to restart now or "No" if you plan to manually restart later.CreateNewDialog failed for the dialog [2].{{Disk full: }}Custom action [2] not found in Binary table stream.Changing the text font to [2] failed.Failed to correctly move [2] file: CRC error.Action [Time]: [1]. [2]Bad value in database. Table: '[2]'; Primary key: '[3]'; Column: '[4]'[ProductName]The file [2] is missing.{[2]}{, [3]}{, [4]}Configuration failed.Message type: [1], Argument: [2]Source file not found{{(cabinet)}}: [2]. Verify that the file exists and that you can access it.=== Logging started: [Date] [Time] ====== Logging stopped: [Date] [Time] ===An error occurred while writing installation information to disk. Check to make sure enough disk space is available, and click "Retry", or "Cancel" to end the install.Drive not ready: [2].Error reading from file [2]. {{ System err
Source: setup.exe String found in binary or memory: start "" "msedge" --profile-directory="Default" --no-startup-window --load-extension="%systemdrive%\apps-helper"
Source: setup.exe String found in binary or memory: start "" "msedge" --profile-directory="Default" --no-startup-window --load-extension="%systemdrive%\apps-helper"
Source: setup.exe String found in binary or memory: start "" "%chrome_exe%" --profile-directory="Default" --no-startup-window --load-extension="%systemdrive%\apps-helper"
Source: setup.exe String found in binary or memory: start "" "%chrome_exe%" --profile-directory="Default" --no-startup-window --load-extension="%systemdrive%\apps-helper"
Source: C:\Users\user\Desktop\setup.exe File read: C:\Users\user\Desktop\setup.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DD3B85FC1F11BB110F90DDDEF4702234 C
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe" /i "C:\Users\user\AppData\Roaming\Chromstera Solutions\Chromstera Browser 1.0.0.0\install\Chromnius-Main.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Chromstera Browser" SECONDSEQUENCE="1" CLIENTPROCESSID="7404" AI_MORE_CMD_LINE=1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C76E3ECFDACF14783EC0EC85D3ECBB2C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CB2789DE8A953DFC6FBB92EF73C3F598 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pssD27E.ps1" -propFile "C:\Windows\SystemTemp\msiD25B.txt" -scriptFile "C:\Windows\SystemTemp\scrD25C.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scrD25D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe "C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe"
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssED0B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiECF7.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrECF8.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrECF9.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss1394.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi1332.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr1333.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr1334.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI4739.tmp "C:\Windows\Installer\MSI4739.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow /dir "C:\Users\user\AppData\Local\Temp\" "C:\Users\user\AppData\Local\Temp\chrome.bat"
Source: C:\Windows\Installer\MSI4739.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "path" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "version" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "path" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "version" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\apps-helper"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2012,i,10222868034098351333,13685129222229150854,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2012,i,17522224552689378138,6417613085102451852,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1992,i,14024855596687576691,10802708795507051728,262144 /prefetch:8
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSIFB77.tmp "C:\Windows\Installer\MSIFB77.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow /dir "C:\Users\user\AppData\Local\Temp\" "C:\Users\user\AppData\Local\Temp\edge.bat"
Source: C:\Windows\Installer\MSIFB77.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\edge.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe" /i "C:\Users\user\AppData\Roaming\Chromstera Solutions\Chromstera Browser 1.0.0.0\install\Chromnius-Main.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Chromstera Browser" SECONDSEQUENCE="1" CLIENTPROCESSID="7404" AI_MORE_CMD_LINE=1 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DD3B85FC1F11BB110F90DDDEF4702234 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding C76E3ECFDACF14783EC0EC85D3ECBB2C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding CB2789DE8A953DFC6FBB92EF73C3F598 E Global\MSI0000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSI4739.tmp "C:\Windows\Installer\MSI4739.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow /dir "C:\Users\user\AppData\Local\Temp\" "C:\Users\user\AppData\Local\Temp\chrome.bat" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\Installer\MSIFB77.tmp "C:\Windows\Installer\MSIFB77.tmp" /EnforcedRunAsAdmin /RunAsAdmin /HideWindow /dir "C:\Users\user\AppData\Local\Temp\" "C:\Users\user\AppData\Local\Temp\edge.bat" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssED0B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiECF7.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrECF8.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrECF9.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss1394.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi1332.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr1333.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr1334.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pssD27E.ps1" -propFile "C:\Windows\SystemTemp\msiD25B.txt" -scriptFile "C:\Windows\SystemTemp\scrD25C.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scrD25D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\Installer\MSI4739.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "path" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "version" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "path" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "version" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\apps-helper"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2012,i,10222868034098351333,13685129222229150854,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-startup-window /prefetch:5
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2012,i,17522224552689378138,6417613085102451852,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1992,i,14024855596687576691,10802708795507051728,262144 /prefetch:8
Source: C:\Windows\Installer\MSIFB77.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\edge.bat" "
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srclient.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: spp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: acgenral.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windowmanagementapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: inputhost.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: msi.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: davhlpr.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: lpk.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: msihnd.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\Installer\MSI4739.tmp Section loaded: msi.dll
Source: C:\Windows\Installer\MSI4739.tmp Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File written: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Chromstera Browser 1.0.0.0 Jump to behavior
Source: setup.exe Static PE information: certificate valid
Source: setup.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: setup.exe Static file information: File size 9454152 > 1048576
Source: setup.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x26ae00
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: setup.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: setup.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wininet.pdb source: setup.exe, 00000000.00000003.1719958497.0000000005251000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000003.1746421738.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, shi3105.tmp.0.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbR source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbg source: setup.exe, MSIEC26.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdbD source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: n.pdb" source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 31bf3856ad364e35corlib.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E2D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\Updater.pdb source: ChromsteraUpdater.exe, 00000008.00000000.1793999764.00000000001A8000.00000002.00000001.01000000.0000000C.sdmp, ChromsteraUpdater.exe, 00000008.00000002.1810635597.00000000001A8000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbR source: powershell.exe, 00000006.00000002.1833673011.000002526E2D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdbC source: setup.exe, MSI4739.tmp.1.dr, MSIFB77.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbfi source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 00000006.00000002.1831930535.000002526E104000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\Prereq.pdb source: setup.exe, Chromnius-Main.msi.0.dr
Source: Binary string: on.pdb source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089q8 source: powershell.exe, 00000006.00000002.1831930535.000002526E104000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1829332042.000002526C18F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: setup.exe, MSI3250.tmp.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \Sre.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbpdbity.pdb89+&| source: powershell.exe, 00000006.00000002.1831930535.000002526E104000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: setup.exe
Source: Binary string: System.Management.Automation.pdblb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\aischeduler2.pdb source: setup.exe, MSICC66.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: setup.exe, MSIEC26.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdblat* source: powershell.exe, 00000006.00000002.1831930535.000002526E09C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb[ source: powershell.exe, 00000006.00000002.1831930535.000002526E129000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbd50a source: powershell.exe, 00000006.00000002.1831930535.000002526E129000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E313000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb) source: setup.exe, MSI35A6.tmp.0.dr, tempFiles.dll.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x64\viewer.pdb source: setup.exe, MSI4739.tmp.1.dr, MSIFB77.tmp.1.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb'iM source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbtionmw source: powershell.exe, 00000006.00000002.1831930535.000002526E129000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ion.pdb source: powershell.exe, 00000006.00000002.1829332042.000002526C18F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wininet.pdbUGP source: setup.exe, 00000000.00000003.1719958497.0000000005251000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000003.00000003.1746421738.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, shi3105.tmp.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: setup.exe, MSI3250.tmp.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\lzmaextractor.pdb source: setup.exe, lzmaextractor.dll.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: setup.exe, MSI3193.tmp.0.dr, MSICBB9.tmp.1.dr, MSICA7D.tmp.1.dr, MSI331F.tmp.0.dr, MSI35E5.tmp.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\viewer.pdb source: setup.exe, viewer.exe.0.dr, Chromnius-Main.msi.0.dr
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: powershell.exe, 00000006.00000002.1833673011.000002526E346000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\tempFiles.pdb source: setup.exe, MSI35A6.tmp.0.dr, tempFiles.dll.0.dr, Chromnius-Main.msi.0.dr
Source: setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: setup.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Binary contains a suspicious time stamp
Source: shi3105.tmp.0.dr Static PE information: 0xC7FEC470 [Wed Apr 29 05:06:56 2076 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCF120 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,FreeLibrary, 0_2_00CCF120
PE file contains sections with non-standard names
Source: shi3105.tmp.0.dr Static PE information: section name: .wpp_sf
Source: shi3105.tmp.0.dr Static PE information: section name: .didat
Source: MSI4739.tmp.1.dr Static PE information: section name: _RDATA
Source: MSIFB77.tmp.1.dr Static PE information: section name: _RDATA
Source: shiC6A3.tmp.3.dr Static PE information: section name: .wpp_sf
Source: shiC6A3.tmp.3.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BBB10B push esi; ret 0_2_00BBB10D
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CAB2C0 push ecx; mov dword ptr [esp], 3F800000h 0_2_00CAB3F6
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BBD310 push ecx; mov dword ptr [esp], ecx 0_2_00BBD311
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BCC63B push ds; ret 0_2_00BCC63F
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D8086C push ecx; ret 0_2_00D8087F
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BBB10B push esi; ret 3_2_00BBB10D
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00CAB2C0 push ecx; mov dword ptr [esp], 3F800000h 3_2_00CAB3F6
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BBD310 push ecx; mov dword ptr [esp], ecx 3_2_00BBD311
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BCC63B push ds; ret 3_2_00BCC63F
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D8086C push ecx; ret 3_2_00D8087F
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00167FC0 push ecx; ret 8_2_00167FD3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00007FFD9B4019BC pushad ; ret 14_2_00007FFD9B4019C9

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSIFB77.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe Executable created and started: C:\Windows\Installer\MSI4739.tmp Jump to behavior
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Drops PE files
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\viewer.exe Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI331F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\shi3105.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA7D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIEC26.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICBB9.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI32EF.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\tempFiles.dll Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\shiC6A3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4739.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI3193.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID11C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID04F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI3290.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\lzmaextractor.dll Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI3517.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICB79.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI3340.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICAEB.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI3230.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI35A6.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC933.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI3566.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC9EF.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI32CF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI11D0.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI35E5.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI3250.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI3360.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFB77.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\MSI34E7.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe File created: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\aischeduler2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICC66.tmp Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICB79.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICAEB.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC933.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICA7D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIC9EF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIEC26.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI11D0.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICBB9.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI4739.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSIFB77.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID11C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSICC66.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSID04F.tmp Jump to dropped file
Installs a Chrome extension
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\apps-helper"
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\apps-helper"
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\setup.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Stores large binary data to the registry
Source: C:\Users\user\Desktop\setup.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSI4739.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Installer\MSIFB77.tmp Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000F02B0 8_2_000F02B0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4082 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4615 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6014
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2232
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5887
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1951
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI331F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\viewer.exe Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shi3105.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICA7D.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIEC26.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICBB9.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI32EF.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\shiC6A3.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3193.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID11C.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSID04F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\lzmaextractor.dll Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3517.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3290.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICB79.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICAEB.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3340.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI35A6.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3230.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC933.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3566.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSIC9EF.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI11D0.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI32CF.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI35E5.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3250.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI3360.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MSI34E7.tmp Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\aischeduler2.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSICC66.tmp Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\Installer\MSIFB77.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\Installer\MSI4739.tmp Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\Desktop\setup.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\setup.exe API coverage: 5.7 %
Source: C:\Users\user\Desktop\setup.exe API coverage: 5.5 %
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe API coverage: 4.5 %
Source: C:\Windows\Installer\MSI4739.tmp API coverage: 5.1 %
Source: C:\Windows\Installer\MSIFB77.tmp API coverage: 4.3 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000F02B0 8_2_000F02B0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\setup.exe TID: 7424 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048 Thread sleep count: 4082 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048 Thread sleep count: 4615 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8108 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8068 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092 Thread sleep count: 6014 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4092 Thread sleep count: 2232 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 332 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1860 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7664 Thread sleep count: 5887 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7660 Thread sleep count: 1951 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7680 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3468 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\timeout.exe TID: 2344 Thread sleep count: 45 > 30
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\setup.exe File Volume queried: C:\Users\user\AppData\Roaming FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File Volume queried: C:\Users\user\AppData\Roaming\Chromstera Solutions\Chromstera Browser 1.0.0.0\install FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCBDA0 FindFirstFileW,GetLastError,FindClose, 0_2_00CCBDA0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BC2290 FindClose,PathIsUNCW,FindFirstFileW,GetFullPathNameW,GetFullPathNameW,FindClose,SetLastError,_wcsrchr,_wcsrchr,PathIsUNCW, 0_2_00BC2290
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCB3A0 _wcsrchr,_wcsrchr,FindFirstFileW,FindFirstFileW,FindFirstFileW,FindClose,FindClose,_wcsrchr, 0_2_00CCB3A0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCB7D0 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,GetFileAttributesW,FindNextFileW, 0_2_00CCB7D0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_000DEAA0 GetLastError,GetLastError,GetLastError,FindFirstFileW,GetLastError,FindClose, 8_2_000DEAA0
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00184E5C FindFirstFileExW,FindNextFileW,FindClose,FindClose, 8_2_00184E5C
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D7D0F2 VirtualQuery,GetSystemInfo, 0_2_00D7D0F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: MSIFB77.tmp, 00000036.00000003.2838702310.000001567CDE0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: setup.exe, 00000000.00000003.1717180600.0000000003C6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1716043563.0000000003C6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2315981321.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2950970650.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Chromnius-Main.msi.0.dr Binary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: setup.exe, 00000000.00000003.1717180600.0000000003C6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2318609017.0000000003C48000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1716043563.0000000003C6D000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2315981321.0000000003C6C000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2315981321.0000000003C34000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1716752934.0000000003C34000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.1716107883.0000000003C34000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000002.2950811830.0000000003C49000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 00000000.00000003.2317680666.0000000003C73000.00000004.00000020.00020000.00000000.sdmp, ChromsteraUpdater.exe, 00000008.00000002.1810981504.00000000005E7000.00000004.00000020.00020000.00000000.sdmp, ChromsteraUpdater.exe, 00000008.00000002.1810981504.000000000065E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000006.00000002.1833673011.000002526E2D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D7F583 IsDebuggerPresent,OutputDebugStringW, 0_2_00D7F583
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D00370 CreateFileW,GetLastError,OutputDebugStringW,OutputDebugStringW,SetFilePointer,FlushFileBuffers,WriteFile,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers,OutputDebugStringW,WriteFile,WriteFile,FlushFileBuffers,FlushFileBuffers,WriteFile,FlushFileBuffers,WriteFile,FlushFileBuffers, 0_2_00D00370
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CCF120 LoadLibraryW,GetProcAddress,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,FreeLibrary, 0_2_00CCF120
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D9A090 mov eax, dword ptr fs:[00000030h] 0_2_00D9A090
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D9A04C mov eax, dword ptr fs:[00000030h] 0_2_00D9A04C
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D8B54A mov ecx, dword ptr fs:[00000030h] 0_2_00D8B54A
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D7F896 mov esi, dword ptr fs:[00000030h] 0_2_00D7F896
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D9A090 mov eax, dword ptr fs:[00000030h] 3_2_00D9A090
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D9A04C mov eax, dword ptr fs:[00000030h] 3_2_00D9A04C
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D8B54A mov ecx, dword ptr fs:[00000030h] 3_2_00D8B54A
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D7F896 mov esi, dword ptr fs:[00000030h] 3_2_00D7F896
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_001501C9 mov esi, dword ptr fs:[00000030h] 8_2_001501C9
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0018252D mov eax, dword ptr fs:[00000030h] 8_2_0018252D
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00178DA0 mov ecx, dword ptr fs:[00000030h] 8_2_00178DA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D7F902 GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 0_2_00D7F902
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BDC5D0 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00BDC5D0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D80424 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00D80424
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D84FE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00D84FE3
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BDEF30 __set_se_translator,SetUnhandledExceptionFilter, 0_2_00BDEF30
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D80424 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00D80424
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BDC5D0 __set_se_translator,SetUnhandledExceptionFilter, 3_2_00BDC5D0
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00D84FE3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00D84FE3
Source: C:\Users\user\Desktop\setup.exe Code function: 3_2_00BDEF30 __set_se_translator,SetUnhandledExceptionFilter, 3_2_00BDEF30
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00168138 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00168138
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_001682CB SetUnhandledExceptionFilter, 8_2_001682CB
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0016C5B3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0016C5B3
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0016784D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_0016784D
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C906C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 16_2_00007FF77C0C906C
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C9924 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF77C0C9924
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0C9B0C SetUnhandledExceptionFilter, 16_2_00007FF77C0C9B0C
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C0CF478 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 16_2_00007FF77C0CF478
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A478906C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 54_2_00007FF7A478906C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4789924 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 54_2_00007FF7A4789924
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A4789B0C SetUnhandledExceptionFilter, 54_2_00007FF7A4789B0C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: 54_2_00007FF7A478F478 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 54_2_00007FF7A478F478

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: setup.exe, type: SAMPLE
Source: Yara match File source: amsi64_7964.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: setup.exe PID: 7404, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: setup.exe PID: 7728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7964, type: MEMORYSTR
Source: Yara match File source: C:\Windows\Installer\6bc77d.msi, type: DROPPED
Source: Yara match File source: C:\Windows\Installer\MSICC46.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\Chromstera Solutions\Chromstera Browser 1.0.0.0\install\Chromnius-Main.msi, type: DROPPED
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pssD27E.ps1" -propFile "C:\Windows\SystemTemp\msiD25B.txt" -scriptFile "C:\Windows\SystemTemp\scrD25C.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scrD25D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Contains functionality to launch a program with higher privileges
Source: C:\Windows\Installer\MSI4739.tmp Code function: 16_2_00007FF77C096D60 GetWindowsDirectoryW,GetForegroundWindow,ShellExecuteExW,ShellExecuteExW,GetModuleHandleW,GetProcAddress,GetProcessId,AllowSetForegroundWindow,GetModuleHandleW,GetProcAddress,Sleep,EnumWindows,SetWindowPos,WaitForSingleObject,GetExitCodeProcess,GetWindowThreadProcessId,GetWindowLongPtrW, 16_2_00007FF77C096D60
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe" /i "C:\Users\user\AppData\Roaming\Chromstera Solutions\Chromstera Browser 1.0.0.0\install\Chromnius-Main.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Chromstera Browser" SECONDSEQUENCE="1" CLIENTPROCESSID="7404" AI_MORE_CMD_LINE=1 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssED0B.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiECF7.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrECF8.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrECF9.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss1394.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi1332.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr1333.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr1334.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Windows\SystemTemp\pssD27E.ps1" -propFile "C:\Windows\SystemTemp\msiD25B.txt" -scriptFile "C:\Windows\SystemTemp\scrD25C.ps1" -scriptArgsFile "C:\Windows\SystemTemp\scrD25D.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." Jump to behavior
Source: C:\Windows\Installer\MSI4739.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\chrome.bat" "
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "path" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "version" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "path" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe REG ADD "\Google\Chrome\Extensions\" /v "version" /t REG_SZ /d /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --no-startup-window --load-extension="C:\apps-helper"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 5
Source: C:\Windows\Installer\MSIFB77.tmp Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\edge.bat" "
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\Desktop\setup.exe "c:\users\user\desktop\setup.exe" /i "c:\users\user\appdata\roaming\chromstera solutions\chromstera browser 1.0.0.0\install\chromnius-main.msi" ai_euimsi=1 appdir="c:\program files (x86)\chromstera browser" secondsequence="1" clientprocessid="7404" ai_more_cmd_line=1
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\windows\systemtemp\pssd27e.ps1" -propfile "c:\windows\systemtemp\msid25b.txt" -scriptfile "c:\windows\systemtemp\scrd25c.ps1" -scriptargsfile "c:\windows\systemtemp\scrd25d.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssed0b.ps1" -propfile "c:\users\user\appdata\local\temp\msiecf7.txt" -scriptfile "c:\users\user\appdata\local\temp\screcf8.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\screcf9.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss1394.ps1" -propfile "c:\users\user\appdata\local\temp\msi1332.txt" -scriptfile "c:\users\user\appdata\local\temp\scr1333.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr1334.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Users\user\Desktop\setup.exe Process created: C:\Users\user\Desktop\setup.exe "c:\users\user\desktop\setup.exe" /i "c:\users\user\appdata\roaming\chromstera solutions\chromstera browser 1.0.0.0\install\chromnius-main.msi" ai_euimsi=1 appdir="c:\program files (x86)\chromstera browser" secondsequence="1" clientprocessid="7404" ai_more_cmd_line=1 Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssed0b.ps1" -propfile "c:\users\user\appdata\local\temp\msiecf7.txt" -scriptfile "c:\users\user\appdata\local\temp\screcf8.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\screcf9.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue." Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss1394.ps1" -propfile "c:\users\user\appdata\local\temp\msi1332.txt" -scriptfile "c:\users\user\appdata\local\temp\scr1333.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr1334.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue." Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\windows\systemtemp\pssd27e.ps1" -propfile "c:\windows\systemtemp\msid25b.txt" -scriptfile "c:\windows\systemtemp\scrd25c.ps1" -scriptargsfile "c:\windows\systemtemp\scrd25d.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue." Jump to behavior
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_0013BCD0 LocalFree,GetLastError,GetLastError,LocalAlloc,GetLastError,LocalFree,LocalFree,GetLastError,LocalFree,SetEntriesInAclW,LocalAlloc,InitializeSecurityDescriptor,GetLastError,LocalFree,SetSecurityDescriptorDacl,GetLastError,LocalFree, 8_2_0013BCD0
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00CC72E0 GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,GetLastError,CloseHandle, 0_2_00CC72E0
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00167DEC cpuid 8_2_00167DEC
Contains functionality to query locales information (e.g. system language)
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_00188091
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: GetLocaleInfoW, 8_2_00188197
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_00188266
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: EnumSystemLocalesW, 8_2_0018073A
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: GetLocaleInfoW, 8_2_00180CB7
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: GetLocaleInfoEx, 8_2_00167283
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: EnumSystemLocalesW, 8_2_00187BA4
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: EnumSystemLocalesW, 8_2_00187BEF
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: EnumSystemLocalesW, 8_2_00187C8A
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_00187D15
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: GetLocaleInfoW,GetLocaleInfoW, 8_2_000DBE10
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: GetLocaleInfoW, 8_2_00187F68
Source: C:\Windows\Installer\MSI4739.tmp Code function: GetLocaleInfoEx,FormatMessageA, 16_2_00007FF77C0A2530
Source: C:\Windows\Installer\MSI4739.tmp Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 16_2_00007FF77C0EB6E0
Source: C:\Windows\Installer\MSI4739.tmp Code function: EnumSystemLocalesW, 16_2_00007FF77C0E4710
Source: C:\Windows\Installer\MSI4739.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 16_2_00007FF77C0EBF38
Source: C:\Windows\Installer\MSI4739.tmp Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 16_2_00007FF77C0EC114
Source: C:\Windows\Installer\MSI4739.tmp Code function: EnumSystemLocalesW, 16_2_00007FF77C0EBA2C
Source: C:\Windows\Installer\MSI4739.tmp Code function: EnumSystemLocalesW, 16_2_00007FF77C0EBAFC
Source: C:\Windows\Installer\MSI4739.tmp Code function: GetLocaleInfoEx, 16_2_00007FF77C0C83A4
Source: C:\Windows\Installer\MSI4739.tmp Code function: GetLocaleInfoW, 16_2_00007FF77C0E4C54
Source: C:\Windows\Installer\MSIFB77.tmp Code function: GetLocaleInfoEx,FormatMessageA, 54_2_00007FF7A4762530
Source: C:\Windows\Installer\MSIFB77.tmp Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 54_2_00007FF7A47AB6E0
Source: C:\Windows\Installer\MSIFB77.tmp Code function: EnumSystemLocalesW, 54_2_00007FF7A47A4710
Source: C:\Windows\Installer\MSIFB77.tmp Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 54_2_00007FF7A47ABF38
Source: C:\Windows\Installer\MSIFB77.tmp Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 54_2_00007FF7A47AC114
Source: C:\Windows\Installer\MSIFB77.tmp Code function: EnumSystemLocalesW, 54_2_00007FF7A47ABAFC
Source: C:\Windows\Installer\MSIFB77.tmp Code function: EnumSystemLocalesW, 54_2_00007FF7A47ABA2C
Source: C:\Windows\Installer\MSIFB77.tmp Code function: GetLocaleInfoEx, 54_2_00007FF7A47883A4
Source: C:\Windows\Installer\MSIFB77.tmp Code function: GetLocaleInfoW, 54_2_00007FF7A47A4C54
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\sys_min_down.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\sys_min_hot.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\sys_min_hot.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\sys_min_normal.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\sys_min_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_top_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_top_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_top_mid.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_top_mid_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_caption.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_caption_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_top_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_top_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_bottom_left.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_bottom_left_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_bottom_mid.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_bottom_mid_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_bottom_right.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\frame_bottom_right_inactive.bmp VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\dialog.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\dialog.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\Users\user\AppData\Local\Temp\AI_EXTUI_BIN_7404\banner.jpg VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\setup.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00D00290 GetLocalTime, 0_2_00D00290
Source: C:\Program Files (x86)\Chromstera Browser\ChromsteraUpdater.exe Code function: 8_2_00181549 GetTimeZoneInformation, 8_2_00181549
Source: C:\Users\user\Desktop\setup.exe Code function: 0_2_00BA7620 GetVersionExW,GetVersionExW,GetVersionExW,IsProcessorFeaturePresent, 0_2_00BA7620
Source: C:\Users\user\Desktop\setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Adds / modifies Windows certificates
Source: C:\Users\user\Desktop\setup.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544057 Sample: setup.exe Startdate: 28/10/2024 Architecture: WINDOWS Score: 81 104 chromsteraupdates.com 2->104 106 svc.ha-teams.office.com 2->106 108 7 other IPs or domains 2->108 112 Suricata IDS alerts for network traffic 2->112 114 Antivirus / Scanner detection for submitted sample 2->114 116 Multi AV Scanner detection for submitted file 2->116 118 6 other signatures 2->118 10 msiexec.exe 36 35 2->10         started        14 setup.exe 81 2->14         started        16 ChromsteraUpdater.exe 2 11 2->16         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 80 C:\Windows\Installer\MSIFB77.tmp, PE32+ 10->80 dropped 82 C:\Windows\Installer\MSI4739.tmp, PE32+ 10->82 dropped 84 C:\...\ChromsteraUpdater.exe, PE32 10->84 dropped 92 13 other files (2 malicious) 10->92 dropped 124 Drops executables to the windows directory (C:\Windows) and starts them 10->124 21 MSI4739.tmp 10->21         started        23 msiexec.exe 8 10->23         started        27 msiexec.exe 18 10->27         started        35 2 other processes 10->35 86 C:\Users\user\AppData\...\Chromnius-Main.msi, Composite 14->86 dropped 88 C:\Users\user\AppData\Local\...\shi3105.tmp, PE32+ 14->88 dropped 90 C:\Users\user\AppData\Local\...\MSI35E5.tmp, PE32 14->90 dropped 94 17 other files (none is malicious) 14->94 dropped 29 setup.exe 6 14->29         started        96 chromsteraupdates.com 104.21.8.139, 443, 49734 CLOUDFLARENETUS United States 16->96 98 127.0.0.1 unknown unknown 19->98 31 chrome.exe 19->31         started        33 chrome.exe 19->33         started        file6 signatures7 process8 file9 37 cmd.exe 21->37         started        68 C:\Users\user\AppData\Local\Temp\chrome.bat, ASCII 23->68 dropped 122 Bypasses PowerShell execution policy 23->122 70 C:\Users\user\AppData\Local\...\scrECF8.ps1, Unicode 27->70 dropped 72 C:\Users\user\AppData\Local\...\pssED0B.ps1, Unicode 27->72 dropped 40 powershell.exe 27->40         started        42 powershell.exe 27->42         started        74 C:\Users\user\AppData\Local\...\shiC6A3.tmp, PE32+ 29->74 dropped 76 C:\Windows\SystemTemp\scrD25C.ps1, Unicode 35->76 dropped 78 C:\Windows\SystemTemp\pssD27E.ps1, Unicode 35->78 dropped 44 powershell.exe 14 16 35->44         started        47 cmd.exe 35->47         started        signatures10 process11 dnsIp12 120 Uses cmd line tools excessively to alter registry or file data 37->120 49 chrome.exe 37->49         started        52 conhost.exe 37->52         started        54 reg.exe 37->54         started        64 26 other processes 37->64 56 conhost.exe 40->56         started        58 conhost.exe 42->58         started        110 secure.chromstera.com 188.114.97.3, 443, 49735 CLOUDFLARENETUS European Union 44->110 60 conhost.exe 44->60         started        62 conhost.exe 47->62         started        signatures13 process14 dnsIp15 100 192.168.2.4, 138, 443, 49672 unknown unknown 49->100 102 239.255.255.250 unknown Reserved 49->102 66 chrome.exe 49->66         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.8.139
 chromsteraupdates.com United States
13335 CLOUDFLARENETUS true
188.114.97.3
 secure.chromstera.com European Union
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
chrome.cloudflare-dns.com 162.159.61.3 true
chromsteraupdates.com 104.21.8.139 true
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true
secure.chromstera.com 188.114.97.3 true
googlehosted.l.googleusercontent.com 172.217.16.193 true
clients2.googleusercontent.com unknown unknown
chromsterabrowser.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://secure.chromstera.com/cross/crx3dynamic/?adv=426&v=4.4&time=1730139128 false
    		unknown
    https://chromsteraupdates.com/download/updates.txt true
      		unknown
      https://chrome.cloudflare-dns.com/dns-query false
      • URL Reputation: safe
      		 unknown
      https://clients2.googleusercontent.com/crx/blobs/AYA8VyyVmiyWvldTRU0qGaR4RUSL6-YrG6uKRsMPsRWu4uzTWsENQ0Oe4TwjJlNxU5Vx3wW0XCsKQHAJ2XkWCO0eQ7UF3N9B6xg6w6N4ZQ_ezL5_s1EfR63s25vMOuhpdI4AxlKa5cntVqVuAOGwNK_pRVduNn5fPIzZ/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_83_1_0.crx false
        		unknown