Windows Analysis Report
PWMinderInstaller-3.3.1.1.msi

Overview

General Information

Sample Name: PWMinderInstaller-3.3.1.1.msi
Analysis ID: 752911
MD5: 9661ec2a8a20c92f691e50cd91750a1d
SHA1: 092ee11b9c2805f808e0a072c5db1cced5648418
SHA256: d621d35135fe84d33a85da02b68dd2e327cd01d6185b0cddda98042259c2da0c
Infos:

Detection

Score: 14
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Creates autostart registry keys to launch java
May use bcdedit to modify the Windows boot settings
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Installs a raw input device (often for capturing keystrokes)
Modifies existing windows services
Drops PE files
Tries to load missing DLLs
Deletes files inside the Windows folder
Drops PE files to the windows directory (C:\Windows)
Creates files inside the system directory
Binary contains a suspicious time stamp
Stores files to the Windows start menu directory
Checks for available system drives (often done to infect USB drives)
Creates or modifies windows services
Found dropped PE file which has not been started or loaded

Classification

Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\conf\security\policy\README.txt Jump to behavior
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{057BD86F-54F3-343C-AD7C-A5491C1BF591} Jump to behavior
Source: Binary string: javajpeg.pdbDD source: javajpeg.dll.3.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.3.dr
Source: Binary string: w2k_lsa_auth.pdb source: w2k_lsa_auth.dll.3.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: api-ms-win-crt-process-l1-1-0.dll.3.dr
Source: Binary string: net.pdb.. source: net.dll.3.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.3.dr
Source: Binary string: javajpeg.pdb source: javajpeg.dll.3.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: api-ms-win-crt-stdio-l1-1-0.dll.3.dr
Source: Binary string: net.pdb source: net.dll.3.dr
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: d: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\SrTasks.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Installs a raw input device (often for capturing keystrokes)
Source: SrTasks.exe, 00000008.00000003.15037999486.000001957C760000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: #_WinAPI_RegisterRawInputDevices.au3
PE file does not import any functions
Source: api-ms-win-crt-locale-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-fibers-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: API-MS-Win-core-xstate-l2-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.3.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: edgegdi.dll Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI32C3.tmp Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\672546.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\PWMinderInstaller-3.3.1.1.msi"
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AA2466DF693EDC0D641C8A2AD508EE22 C
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
Source: C:\Windows\System32\SrTasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F668B67427E86DF4293AE146E1BBBBE7
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding AA2466DF693EDC0D641C8A2AD508EE22 C Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding F668B67427E86DF4293AE146E1BBBBE7 Jump to behavior
Source: PWMinderInstaller-3.3.1.1.msi Static file information: TRID: Microsoft Windows Installer (77509/1) 63.77%
Source: C:\Windows\System32\SrTasks.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{883FF1FC-09E1-48e5-8E54-E2469ACB0CFD}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6756:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6756:304:WilStaging_02
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder Jump to behavior
Source: SrTasks.exe, 00000008.00000003.15035054063.000001957C460000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AutoItX.sln~<<
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\Public\Desktop\PWMinder.lnk Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIBEBC.tmp Jump to behavior
Source: metadata-2.3.dr Binary string: disk cleanup.lnk22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.3.dr Binary string: scan_.ico22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.3.dr Binary string: rs_restoreieconnection.ps122\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.3.dr Binary string: 8514oemt.fon22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\))programdata\microsoft\uev\inboxtemplates##microsoftoffice2013backupwin32.xml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.3.dr Binary string: " restoreMetadata="no" notifyOnBackupComplete="no" selectable="yes" selectableForRestore="no" componentFlags="0"><FILE_LIST path="\\?\GLOBALROOT\Device\HarddiskVolume2\EFI\Microsoft\Boot" filespec="*.*" recursive="yes" filespecBackupType="15"/></FILE_GROUP></BACKUP_LOCATIONS></WRITER_METADATA>
Source: metadata-2.3.dr Binary string: devicediagnostic.xml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.3.dr Binary string: beam_i.cur22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.3.dr Binary string: speech recognition.lnk22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\QQprogramdata\microsoft\device stage\device\{8702d817-5aad-4674-9ef3-4d3decd87120}
Source: metadata-2.3.dr Binary string: windows\diagtrack$$remoteaggregatortriggercriteria.dat22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\((windows\diagnostics\system\device\en-gb
Source: metadata-2.3.dr Binary string: generic.cov22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\))programdata\microsoft\uev\inboxtemplates''microsoftskypeforbusiness2016win64.xml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\))programdata\microsoft\uev\inboxtemplates##microsoftoffice2016backupwin64.xml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\QQprogramdata\microsoft\device stage\device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
Source: metadata-2.3.dr Binary string: ts_tempfilecachesize.ps122\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\((windows\diagnostics\system\device\en-us
Source: metadata-2.3.dr Binary string: helppane.exe.mui22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\((windows\diagnostics\system\device\en-us
Source: metadata-2.3.dr Binary string: ts_balanced.ps122\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\((windows\diagnostics\system\device\en-gb
Source: classification engine Classification label: clean14.winMSI@9/243@0/0
Source: C:\Windows\System32\msiexec.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Windows\System32\msiexec.exe Automated click: Next
Source: C:\Windows\System32\msiexec.exe Automated click: I accept the terms in the License Agreement
Source: C:\Windows\System32\msiexec.exe Automated click: Next
Source: C:\Windows\System32\msiexec.exe Automated click: Next
Source: C:\Windows\System32\msiexec.exe Automated click: Next
Source: C:\Windows\System32\msiexec.exe Automated click: Install
Source: Window Recorder Window detected: More than 3 window changes detected
Source: PWMinderInstaller-3.3.1.1.msi Static file information: File size 73277440 > 1048576
Source: C:\Windows\System32\msiexec.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{057BD86F-54F3-343C-AD7C-A5491C1BF591} Jump to behavior
Source: Binary string: javajpeg.pdbDD source: javajpeg.dll.3.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.3.dr
Source: Binary string: w2k_lsa_auth.pdb source: w2k_lsa_auth.dll.3.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdbGCTL source: api-ms-win-crt-process-l1-1-0.dll.3.dr
Source: Binary string: net.pdb.. source: net.dll.3.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.3.dr
Source: Binary string: javajpeg.pdb source: javajpeg.dll.3.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdbGCTL source: api-ms-win-crt-stdio-l1-1-0.dll.3.dr
Source: Binary string: net.pdb source: net.dll.3.dr
Binary contains a suspicious time stamp
Source: MSIBFE5.tmp.1.dr Static PE information: 0xB3CB4BA4 [Sun Aug 2 13:20:36 2065 UTC]
May use bcdedit to modify the Windows boot settings
Source: metadata-2.3.dr Binary or memory string: bcdedit.exe22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\))windows\speech_onecore\engines\tts\en-us
Source: metadata-2.3.dr Binary or memory string: bcdedit.exe.mui22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{057BD86F-54F3-343C-AD7C-A5491C1BF591}\JpARPPRODUCTICON Jump to dropped file
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\API-MS-Win-core-xstate-l2-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\vcruntime140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\jrunscript.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\kinit.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\klist.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\jli.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\nio.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\net.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\jsound.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI32C3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\java.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-console-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\zip.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\awt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\dna.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\j2gss.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\keytool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\ucrtbase.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\jawt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\sspi_bridge.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\lcms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIBEBC.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\msvcp140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\javaw.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\javajpeg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{057BD86F-54F3-343C-AD7C-A5491C1BF591}\JpARPPRODUCTICON Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\ktab.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\PWMinder.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\jimage.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\freetype.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\prefs.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-fibers-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Users\user\AppData\Local\Temp\MSIBFE5.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\rmi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\server\jvm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\java.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\verify.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI32C3.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{057BD86F-54F3-343C-AD7C-A5491C1BF591}\JpARPPRODUCTICON Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\PWMinder\runtime\conf\security\policy\README.txt Jump to behavior

Boot Survival
barindex
Creates autostart registry keys to launch java
Source: C:\Windows\System32\msiexec.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ED66DB19D083C1D35872AAF3CA720EDE F68DB7503F45C343DAC75A94C1B15F19 C:\Program Files (x86)\PWMinder\runtime\bin\javaw.exe Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\msiexec.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PWMinder Desktop Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PWMinder Desktop\PWMinder.lnk Jump to behavior
Creates or modifies windows services
Source: C:\Windows\System32\msiexec.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VssapiPublisher Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\API-MS-Win-core-xstate-l2-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\management.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\vcruntime140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\jrunscript.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\kinit.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\klist.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\jli.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\nio.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\jsound.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\net.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-console-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\java.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\zip.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\awt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\dna.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\j2gss.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\keytool.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\jawt.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\sspi_bridge.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\lcms.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\msvcp140.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\javaw.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\javajpeg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\ktab.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{057BD86F-54F3-343C-AD7C-A5491C1BF591}\JpARPPRODUCTICON Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\jimage.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\PWMinder.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\freetype.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\prefs.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-fibers-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\server\jvm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\rmi.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\java.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\verify.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\PWMinder\runtime\bin\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1081_none_ab73ed7a140b868c53e2f0cff
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms.resources_31bf3856ad364e35_10.0.19041.1_en-us_fc0cba9450a52790R
Source: SrTasks.exe, 00000008.00000003.15109388458.000001957B4F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msft_neteventvmnetworkadatper.format.ps1xmlLMEMX
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..ypervisor.resources_31bf3856ad364e35_10.0.19041.1_en-us_c2edb07518552135>
Source: SrTasks.exe, 00000008.00000003.14994660014.000001957D9F8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.14988000384.000001957D9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-gb_71570953289cd4d0
Source: metadata-2.3.dr Binary or memory string: processset.psd122\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\FFwindows\syswow64\windowspowershell\v1.0\modules\neteventpacketcapture$$msft_neteventvmnetworkadatper.cdxml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\66windows\syswow64\windowspowershell\v1.0\modules\iscsi
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1165_none_f9388606107572b3
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.1_none_30a02f8ac0551efb
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.867_none_b57fce26790eec1330f3e
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..lebrowser.resources_31bf3856ad364e35_10.0.19041.1_en-us_4373d0692dcd3a06
Source: metadata-2.3.dr Binary or memory string: windows.devices.winmd22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\ttwindows\syswow64\windowspowershell\v1.0\modules\psdesiredstateconfiguration\dscresources\msft_processresource\en-gb msft_processresource.schema.mfl22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\FFwindows\syswow64\windowspowershell\v1.0\modules\neteventpacketcapture,,msft_neteventvmnetworkadatper.format.ps1xml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\
Source: metadata-2.3.dr Binary or memory string: processset.psd122\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\FFwindows\system32\windowspowershell\v1.0\modules\neteventpacketcapture$$msft_neteventvmnetworkadatper.cdxml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\66windows\system32\windowspowershell\v1.0\modules\iscsi
Source: SrTasks.exe, 00000008.00000003.14940338744.000001957BD5C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.1_none_b6a6a2ae8b1ec7b0
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo.resources_31bf3856ad364e35_10.0.19041.1_en-us_1a380741b2ac7b04
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid.resources_31bf3856ad364e35_10.0.19041.1_en-us_447494df1222bcd8P
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.928_none_e22c6ae2239eceef909cf564R
Source: SrTasks.exe, 00000008.00000003.14961972416.000001957D6D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: wow64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_97e0d8d7edeea1645ae48
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-us_7f1134951b6fe2f2
Source: SrTasks.exe, 00000008.00000003.15111426817.000001957B5A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msft_neteventvmnetworkadatper.format.ps1xmlLMEMX(
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vhd-parser_31bf3856ad364e35_10.0.19041.1_none_34b87765e20dcc15
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1_none_e64260e504e2ce32897
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..rvisor-host-service_31bf3856ad364e35_10.0.19041.1_none_2246f2e6f0441379.
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.1_none_e5031cd2031d874a
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.746_none_6fbcad1699b89a67
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1_none_eb319bc9ff262eec
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser_31bf3856ad364e35_10.0.19041.1_none_3f6b6ada79aa7a694751718744
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..nthfcvdev.resources_31bf3856ad364e35_10.0.19041.1_en-us_6ca4b4247e291981
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winsock-provider_31bf3856ad364e35_10.0.19041.1_none_8d8c2e85b98ddf69u
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.1_none_914c74df26ba9a96B
Source: SrTasks.exe, 00000008.00000003.15009023900.000001957DBF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vid_31bf3856ad364e35_10.0.19041.546_none_58a869077fc6e2f7Z
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-3dvideo_31bf3856ad364e35_10.0.19041.1_none_8b74d6c4b2fcd095077e9bbbdaf816q
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-passthru-parser_31bf3856ad364e35_10.0.19041.1_none_d7dfb451bd621127
Source: SrTasks.exe, 00000008.00000003.14994660014.000001957D9F8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.14988000384.000001957D9F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..izationv2.resources_31bf3856ad364e35_10.0.19041.1_en-gb_7788797720472f2d
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa_31bf3856ad364e35_10.0.19041.1_none_555170071aa29c2c12d6915fcb0e69d2e/
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..apinabout.resources_31bf3856ad364e35_10.0.19041.1_en-us_d314f4eb3925c8b5
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-h..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_ddaeabc80a3525d6
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..failoverreplication_31bf3856ad364e35_10.0.19041.1_none_50b60ffc14c70fb2
Source: metadata-2.3.dr Binary or memory string: windows.devices.winmd22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\ttwindows\system32\windowspowershell\v1.0\modules\psdesiredstateconfiguration\dscresources\msft_processresource\en-gb msft_processresource.schema.mfl22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\FFwindows\system32\windowspowershell\v1.0\modules\neteventpacketcapture,,msft_neteventvmnetworkadatper.format.ps1xml22\\?\Volume{63c21a82-642d-4153-9cda-ad16c96eec93}\
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug_31bf3856ad364e35_10.0.19041.1_none_ba0c8961643f1b8b1
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmcl_31bf3856ad364e35_10.0.19041.1_none_29421b2ffbc5ca5c
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp_31bf3856ad364e35_10.0.19041.1052_none_aa1b5c7a14ea46dd
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-rdv_31bf3856ad364e35_10.0.19041.1_none_30c4d3b8c03afdd6
Source: SrTasks.exe, 00000008.00000003.15045251124.000001957F710000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmdebug.dll
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmms_31bf3856ad364e35_10.0.19041.1_none_ec871523fe4a3c374951b6fe2f2
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vmwp.resources_31bf3856ad364e35_10.0.19041.1_en-us_369e8b635061fdb3f
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.964_none_3542494c595902f8c2
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-lun-parser_31bf3856ad364e35_10.0.19041.1_none_b6d8bfc73f89cc96399d5452c55
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.928_none_d35bf07ab5380c24P
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-remotefilebrowser_31bf3856ad364e35_10.0.19041.1_none_47b46fcdda46dc1d
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-pvhd-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_0ccb9f4751718744
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.1_none_e9372a65640b0bcf
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..-netsetup.resources_31bf3856ad364e35_10.0.19041.1_en-us_299ac5951a49c2de<
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.928_none_1fa9f09ad10e24e0
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.928_none_8573a187d4da526fab5380c242e6d4aA
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhv_31bf3856ad364e35_10.0.19041.1_none_93cc37f483916b61914c74df26ba9a96
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.423_en-us_f14a4bbefe65ac879
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..t-clients.resources_31bf3856ad364e35_10.0.19041.1_en-us_a3e0d97c4c052586
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser_31bf3856ad364e35_10.0.19041.1_none_a7bb53746630ebd34c771f203a
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..ck-virtualizationv2_31bf3856ad364e35_10.0.19041.1_none_25a2ff96aac272dda
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.1_none_f4c869717eb5b208
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-emulatedstorage_31bf3856ad364e35_10.0.19041.928_none_b96c565fe61a4dfa
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-winhvr_31bf3856ad364e35_10.0.19041.1_none_fc5d2e67adee5611
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-m..-client.snapinabout_31bf3856ad364e35_10.0.19041.1_none_43a9017744e82ca8
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..rvcluster.resources_31bf3856ad364e35_10.0.19041.1_en-us_78dfc47123c588953
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-ram-parser.resources_31bf3856ad364e35_10.0.19041.1_en-us_50c23e4c771f203a6e
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-synthfcvdev_31bf3856ad364e35_10.0.19041.928_none_1ce84af23e15656cc8d6
Source: SrTasks.exe, 00000008.00000003.15083247042.00000195799E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: msft_neteventvmnetworkadatper.cdxmlLMEMH
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_en-us_168291f09487ebd52db5474^
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb_31bf3856ad364e35_10.0.19041.928_none_0d22fe52c27d3aae16107572b3
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..ationcomponents-rdv_31bf3856ad364e35_10.0.19041.1_none_f78a0f1a11ae717c
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-config_31bf3856ad364e35_10.0.19041.1_none_ab3c0ef9f5d858c047e291981
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-d..s-vmswitch-netsetup_31bf3856ad364e35_10.0.19041.1_none_3a58d94ffaa9d897b
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-management-clients_31bf3856ad364e35_10.0.19041.1_none_a87cce111f2d21d5c1d
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-vsmb.resources_31bf3856ad364e35_10.0.19041.1_en-us_c92f752e3f016999
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-sysprep-provider_31bf3856ad364e35_10.0.19041.789_none_111728dc239a85e2g
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-i..nents-rdv.resources_31bf3856ad364e35_10.0.19041.1_en-us_b3d1ef0d088d6955
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-kmclr_31bf3856ad364e35_10.0.19041.1_none_884ef285596dd59451a8a399d5452c55
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-v..edstorage.resources_31bf3856ad364e35_10.0.19041.1_en-us_8e6d1518accc0bf5N
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-debug.resources_31bf3856ad364e35_10.0.19041.1_en-us_5ee8ada67d246bda
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-vstack-hypervcluster_31bf3856ad364e35_10.0.19041.1_none_a2ace16370124ff4#
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-integration-rdv-core_31bf3856ad364e35_10.0.19041.1_none_0d51a8a399d5452cc
Source: SrTasks.exe, 00000008.00000003.14928954102.000001957BC42000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-hgs_31bf3856ad364e35_10.0.19041.1_none_5d53c007157a9f0b4260e504e2ce32c6
Source: SrTasks.exe, 00000008.00000003.15045251124.000001957F710000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmdebug.dll|<
Source: SrTasks.exe, 00000008.00000003.15009023900.000001957DBF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1165_none_a5220d9b1aae684eb
Source: SrTasks.exe, 00000008.00000003.15086578109.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp, SrTasks.exe, 00000008.00000003.15065868677.000001957DCC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: amd64_microsoft-windows-hyper-v-vfpext_31bf3856ad364e35_10.0.19041.610_none_dec94c194a7d9cf6
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\SrTasks.exe Queries volume information: C:\ VolumeInformation Jump to behavior
AV process strings found (often used to terminate AV products)
Source: SrTasks.exe, 00000008.00000003.15037999486.000001957C760000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: procdump.exe
Source: SrTasks.exe, 00000008.00000003.15040411048.000001957C860000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 752911 Sample: PWMinderInstaller-3.3.1.1.msi Startdate: 24/11/2022 Architecture: WINDOWS Score: 14 6 msiexec.exe 344 288 2->6         started        10 msiexec.exe 7 2->10         started        file3 20 C:\Program Files (x86)\PWMinder\...\javaw.exe, PE32 6->20 dropped 22 C:\Windows\Installer\...\JpARPPRODUCTICON, PE32 6->22 dropped 24 C:\Windows\Installer\MSI32C3.tmp, PE32 6->24 dropped 30 79 other files (none is malicious) 6->30 dropped 32 Creates autostart registry keys to launch java 6->32 12 SrTasks.exe 2 6->12         started        14 msiexec.exe 6->14         started        16 msiexec.exe 6->16         started        26 C:\Users\user\AppData\Local\...\MSIBFE5.tmp, PE32 10->26 dropped 28 C:\Users\user\AppData\Local\...\MSIBEBC.tmp, PE32 10->28 dropped signatures4 process5 process6 18 conhost.exe 12->18         started       
No contacted IP infos