Hi all,
I am having some weird behaviour from msedgewebview2.exe where lots of TCP connections are made. While they seem like legitimate Microsoft ASNs, their geography is a bit mixed, and I don't think my current ISP works the best for this particular scheme.
Microsoft.Internal.WarpPal.dll is found in these following processes:
SystemSettings.exe
- msedgewebview2.exe
- msedge.exe
- explorer.exe
- msedge.exe
- TextInputHost.exe
- StartMenuExperienceHost.exe
- WigetBoard.exe
- Notepad.exe
- SearchHost.exe
- ShellHost.exe
- ApplicationFrameHost.exe
- steamwebhelper.exe
Which makes me think the following bug is experienced because of it:
I use the search bar to select and open `Steam`, and sometimes the computer bluescreens or freezes permanently. If not, Steam takes an incredibly long time to open (1-2 minutes for my high end PC).
While searching in Windows Start, lots of TCP connections are made too, even though I disabled OneDrive, disabled all the privacy settings about searching across 365, etc.
I can't uninstall WebView2 without running an uninstaller executable that I can't verify is safe.
There are also plenty of settings one can disable in Edge that constantly communicate to backends, like Microsoft Wallet, Microsoft Rewards, other synchronizations.
I am afraid that due to the nature of this library, even if considered secure, the surface area is quite large and a process injection might happen.
Maybe this explains the flickering I see sometimes on boot, of the icons on my desktop, periodic VPN disconnection, etc. I also see command prompts sometimes flashing.
I am wondering if anyone also has input they are willing to share on what is the likely threat vector: could it be a known APT or infostealer targeting my ISP, some C2, etc, that targets this particular component of windows, is it a fileless payload, like an IBM X-Force malware family profile, etc, because I am curious. 😀
Related dll: webview2standalone.dll
Farewell everyone!
