| File name: | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe |
| Full analysis: | https://app.any.run/tasks/330f1619-71fa-4055-90cc-5addb2aaed9c |
| Verdict: | Malicious activity |
| Analysis date: | March 16, 2019, 20:25:14 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
| MD5: | C12FFB549B328475007BAFA8BD83C141 |
| SHA1: | 95E498A82E534A339B34D64555F54497B2B6FDCE |
| SHA256: | E55267F5D6AF28DCB71AEEB354A61C0038EB1CD0C4641DFBD743BB7DE9DCA5A7 |
| SSDEEP: | 196608:UY1o9cqGxGLWLD/7cQq8TN1sZwSlKZsnVAx2:T1ucqGxUWfgSrillKZsVM2 |
MALICIOUS
Application was dropped or rewritten from another process
- irsetup.exe (PID: 1960)
- dpinst.exe (PID: 3924)
- dpinst.exe (PID: 3968)
- dpinst.exe (PID: 3340)
- dpinst.exe (PID: 2768)
- dpinst.exe (PID: 2388)
- irsetup.exe (PID: 2716)
- dpinst.exe (PID: 1868)
- dpinst.exe (PID: 3484)
- dpinst.exe (PID: 3996)
- 04dff36aa60d5f1f35fa12b017fba3770c305c59.exe (PID: 3568)
- irsetup.exe (PID: 2652)
- dpinst.exe (PID: 2424)
- dpinst.exe (PID: 4056)
- dpinst.exe (PID: 1396)
- 88a790c4a7916837dd824b6e66f25e8c8adb9fed.exe (PID: 3408)
- dpinst.exe (PID: 2696)
- irsetup.exe (PID: 752)
- dpinst.exe (PID: 2184)
- dpinst.exe (PID: 3692)
- dpinst.exe (PID: 2344)
- dpinst.exe (PID: 3320)
- dpinst.exe (PID: 3088)
- dpinst.exe (PID: 3720)
- dpinst.exe (PID: 3620)
- dpinst.exe (PID: 3480)
- dpinst.exe (PID: 2692)
- dpinst.exe (PID: 3912)
- dpinst.exe (PID: 2988)
- dpinst.exe (PID: 3544)
- dpinst.exe (PID: 4036)
- dpinst.exe (PID: 3388)
- dpinst.exe (PID: 2564)
- dpinst.exe (PID: 4032)
- dpinst.exe (PID: 1940)
- dpinst.exe (PID: 3300)
- dpinst.exe (PID: 3052)
- dpinst.exe (PID: 3852)
- dpinst.exe (PID: 3304)
- dpinst.exe (PID: 992)
- dpinst.exe (PID: 3820)
- dpinst.exe (PID: 2524)
- dpinst.exe (PID: 3660)
- dpinst.exe (PID: 2360)
- dpinst.exe (PID: 2308)
- dpinst.exe (PID: 3008)
- dpinst.exe (PID: 2156)
- dpinst.exe (PID: 3732)
- dpinst.exe (PID: 2252)
- dpinst.exe (PID: 3328)
- dpinst.exe (PID: 3704)
- dpinst.exe (PID: 1864)
- dpinst.exe (PID: 3720)
- dpinst.exe (PID: 3248)
- dpinst.exe (PID: 2580)
- dpinst.exe (PID: 3528)
- dpinst.exe (PID: 1516)
- dpinst.exe (PID: 3496)
- f12315b291cb12c33aa882abae87397c0c2e49c8.exe (PID: 2804)
- irsetup.exe (PID: 3536)
- vcredist_x86.exe (PID: 656)
- Setup.exe (PID: 1724)
- ExeLauncher.exe (PID: 2720)
- ExeInvoker.exe (PID: 2520)
- UninstallShld.exe (PID: 3872)
- InstallUSB.exe (PID: 3616)
- dpinst.exe (PID: 3952)
- dpinst.exe (PID: 3764)
- dpinst.exe (PID: 2280)
- dpinst.exe (PID: 2892)
- dpinst.exe (PID: 128)
- dpinst.exe (PID: 1248)
- dpinst.exe (PID: 972)
- dpinst.exe (PID: 2376)
- dpinst.exe (PID: 1684)
- dpinst.exe (PID: 4068)
- dpinst.exe (PID: 4080)
- dpinst.exe (PID: 2288)
- dpinst.exe (PID: 2772)
- dpinst.exe (PID: 2628)
- dpinst.exe (PID: 3028)
- dpinst.exe (PID: 2928)
- dpinst.exe (PID: 932)
- dpinst.exe (PID: 2576)
- dpinst.exe (PID: 280)
- dpinst.exe (PID: 2744)
- dpinst.exe (PID: 4072)
- dpinst.exe (PID: 2360)
- irsetup.exe (PID: 3972)
- dpinst.exe (PID: 2692)
- 1228d68c662bc087f761f82eb76af633e7c02686.exe (PID: 3264)
Changes settings of System certificates
- ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe (PID: 1812)
- irsetup.exe (PID: 1960)
- irsetup.exe (PID: 2716)
- MSI187.tmp (PID: 4080)
- irsetup.exe (PID: 2652)
- irsetup.exe (PID: 752)
- irsetup.exe (PID: 3536)
- msiexec.exe (PID: 2700)
- irsetup.exe (PID: 3972)
Loads dropped or rewritten executable
- irsetup.exe (PID: 1960)
- irsetup.exe (PID: 2716)
- irsetup.exe (PID: 2652)
- irsetup.exe (PID: 752)
- irsetup.exe (PID: 3536)
- Setup.exe (PID: 1724)
- irsetup.exe (PID: 3972)
SUSPICIOUS
Executable content was dropped or overwritten
- b1a0d51eeb0b96e443ffd0da6881a9862bca9594.exe (PID: 3804)
- irsetup.exe (PID: 1960)
- ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe (PID: 1812)
- dpinst.exe (PID: 2768)
- DrvInst.exe (PID: 2268)
- 0629d5358517ae765817d4455bb12109745aac9b.exe (PID: 2240)
- irsetup.exe (PID: 2716)
- MsiExec.exe (PID: 2948)
- DrvInst.exe (PID: 2736)
- DrvInst.exe (PID: 3724)
- dpinst.exe (PID: 1868)
- msiexec.exe (PID: 2700)
- dpinst.exe (PID: 3996)
- DrvInst.exe (PID: 312)
- 04dff36aa60d5f1f35fa12b017fba3770c305c59.exe (PID: 3568)
- irsetup.exe (PID: 2652)
- dpinst.exe (PID: 1396)
- irsetup.exe (PID: 752)
- 88a790c4a7916837dd824b6e66f25e8c8adb9fed.exe (PID: 3408)
- DrvInst.exe (PID: 2996)
- dpinst.exe (PID: 2580)
- DrvInst.exe (PID: 3144)
- DrvInst.exe (PID: 2340)
- DrvInst.exe (PID: 3020)
- DrvInst.exe (PID: 3964)
- dpinst.exe (PID: 3496)
- DrvInst.exe (PID: 4008)
- vcredist_x86.exe (PID: 656)
- f12315b291cb12c33aa882abae87397c0c2e49c8.exe (PID: 2804)
- irsetup.exe (PID: 3536)
- InstallUSB.exe (PID: 3616)
- DrvInst.exe (PID: 2904)
- DrvInst.exe (PID: 3468)
- a6013bbd273450b4838da21a135973eb8f41b332.exe (PID: 2748)
- irsetup.exe (PID: 3972)
- dpinst.exe (PID: 2744)
Searches for installed software
- irsetup.exe (PID: 1960)
- DllHost.exe (PID: 3696)
- DllHost.exe (PID: 2760)
- irsetup.exe (PID: 2716)
- DrvInst.exe (PID: 2736)
- irsetup.exe (PID: 2652)
- DllHost.exe (PID: 2072)
- DrvInst.exe (PID: 312)
- DrvInst.exe (PID: 2996)
- irsetup.exe (PID: 752)
- DllHost.exe (PID: 3516)
- irsetup.exe (PID: 3536)
- DllHost.exe (PID: 1660)
- InstallUSB.exe (PID: 3616)
- DllHost.exe (PID: 2952)
Creates files in the program directory
- ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe (PID: 1812)
- InstallUSB.exe (PID: 3616)
Starts CMD.EXE for commands execution
- irsetup.exe (PID: 1960)
- irsetup.exe (PID: 2716)
- irsetup.exe (PID: 2652)
- irsetup.exe (PID: 752)
- irsetup.exe (PID: 3536)
- irsetup.exe (PID: 3972)
Creates files in the Windows directory
- dpinst.exe (PID: 3340)
- DrvInst.exe (PID: 2268)
- DrvInst.exe (PID: 2844)
- DrvInst.exe (PID: 2736)
- DrvInst.exe (PID: 312)
- DrvInst.exe (PID: 900)
- DrvInst.exe (PID: 1824)
- DrvInst.exe (PID: 3724)
- DrvInst.exe (PID: 2996)
- DrvInst.exe (PID: 1452)
- DrvInst.exe (PID: 3176)
- DrvInst.exe (PID: 2472)
- DrvInst.exe (PID: 3144)
- DrvInst.exe (PID: 3344)
- DrvInst.exe (PID: 3748)
- DrvInst.exe (PID: 3020)
- DrvInst.exe (PID: 3932)
- DrvInst.exe (PID: 2340)
- DrvInst.exe (PID: 2856)
- DrvInst.exe (PID: 3192)
- DrvInst.exe (PID: 3964)
- DrvInst.exe (PID: 4008)
- DrvInst.exe (PID: 3572)
- DrvInst.exe (PID: 3536)
- DrvInst.exe (PID: 3924)
- DrvInst.exe (PID: 2024)
- DrvInst.exe (PID: 3312)
- DrvInst.exe (PID: 2256)
- DrvInst.exe (PID: 3076)
- DrvInst.exe (PID: 2860)
- DrvInst.exe (PID: 1708)
- DrvInst.exe (PID: 3256)
- DrvInst.exe (PID: 2332)
- DrvInst.exe (PID: 2904)
- DrvInst.exe (PID: 3552)
- DrvInst.exe (PID: 364)
- DrvInst.exe (PID: 1908)
- DrvInst.exe (PID: 4056)
- DrvInst.exe (PID: 2596)
- DrvInst.exe (PID: 2144)
- DrvInst.exe (PID: 280)
- DrvInst.exe (PID: 1384)
- DrvInst.exe (PID: 1176)
- DrvInst.exe (PID: 3052)
- DrvInst.exe (PID: 2064)
- DrvInst.exe (PID: 3468)
- DrvInst.exe (PID: 3160)
- DrvInst.exe (PID: 3776)
- DrvInst.exe (PID: 3024)
- DrvInst.exe (PID: 3940)
- DrvInst.exe (PID: 3604)
- DrvInst.exe (PID: 2148)
- DrvInst.exe (PID: 3752)
- DrvInst.exe (PID: 2412)
- DrvInst.exe (PID: 2156)
- DrvInst.exe (PID: 2456)
- DrvInst.exe (PID: 3672)
- DrvInst.exe (PID: 1040)
- DrvInst.exe (PID: 3392)
- DrvInst.exe (PID: 1888)
- DrvInst.exe (PID: 3876)
- DrvInst.exe (PID: 2712)
- DrvInst.exe (PID: 1140)
- DrvInst.exe (PID: 2532)
- DrvInst.exe (PID: 2636)
- DrvInst.exe (PID: 2772)
- DrvInst.exe (PID: 672)
- DrvInst.exe (PID: 4036)
- DrvInst.exe (PID: 2244)
Creates files in the driver directory
- DrvInst.exe (PID: 2268)
- DrvInst.exe (PID: 2844)
- DrvInst.exe (PID: 2736)
- DrvInst.exe (PID: 3724)
- DrvInst.exe (PID: 900)
- DrvInst.exe (PID: 1824)
- DrvInst.exe (PID: 312)
- DrvInst.exe (PID: 2996)
- DrvInst.exe (PID: 1452)
- DrvInst.exe (PID: 3176)
- DrvInst.exe (PID: 2472)
- DrvInst.exe (PID: 3144)
- DrvInst.exe (PID: 3344)
- DrvInst.exe (PID: 3748)
- DrvInst.exe (PID: 3192)
- DrvInst.exe (PID: 3020)
- DrvInst.exe (PID: 3932)
- DrvInst.exe (PID: 2340)
- DrvInst.exe (PID: 2856)
- DrvInst.exe (PID: 3964)
- DrvInst.exe (PID: 4008)
- DrvInst.exe (PID: 3572)
- DrvInst.exe (PID: 3536)
- DrvInst.exe (PID: 3924)
- DrvInst.exe (PID: 2024)
- DrvInst.exe (PID: 3312)
- DrvInst.exe (PID: 2256)
- DrvInst.exe (PID: 3076)
- DrvInst.exe (PID: 1708)
- DrvInst.exe (PID: 2860)
- DrvInst.exe (PID: 3256)
- DrvInst.exe (PID: 1384)
- DrvInst.exe (PID: 3552)
- DrvInst.exe (PID: 2904)
- DrvInst.exe (PID: 280)
- DrvInst.exe (PID: 4056)
- DrvInst.exe (PID: 1908)
- DrvInst.exe (PID: 2596)
- DrvInst.exe (PID: 2332)
- DrvInst.exe (PID: 364)
- DrvInst.exe (PID: 2144)
- DrvInst.exe (PID: 1176)
- DrvInst.exe (PID: 3160)
- DrvInst.exe (PID: 3052)
- DrvInst.exe (PID: 2064)
- DrvInst.exe (PID: 3468)
- DrvInst.exe (PID: 3024)
- DrvInst.exe (PID: 3776)
- DrvInst.exe (PID: 3940)
- DrvInst.exe (PID: 3604)
- DrvInst.exe (PID: 2148)
- DrvInst.exe (PID: 2412)
- DrvInst.exe (PID: 2156)
- DrvInst.exe (PID: 3672)
- DrvInst.exe (PID: 1040)
- DrvInst.exe (PID: 3752)
- DrvInst.exe (PID: 1140)
- DrvInst.exe (PID: 3392)
- DrvInst.exe (PID: 2532)
- DrvInst.exe (PID: 1888)
- DrvInst.exe (PID: 3876)
- DrvInst.exe (PID: 2712)
- DrvInst.exe (PID: 2456)
- DrvInst.exe (PID: 2636)
- DrvInst.exe (PID: 2772)
- DrvInst.exe (PID: 2244)
- DrvInst.exe (PID: 672)
- DrvInst.exe (PID: 4036)
Removes files from Windows directory
- DrvInst.exe (PID: 2844)
- DrvInst.exe (PID: 2268)
- DrvInst.exe (PID: 2736)
- DrvInst.exe (PID: 3724)
- DrvInst.exe (PID: 900)
- DrvInst.exe (PID: 312)
- DrvInst.exe (PID: 1824)
- DrvInst.exe (PID: 2996)
- DrvInst.exe (PID: 3748)
- DrvInst.exe (PID: 1452)
- DrvInst.exe (PID: 3144)
- DrvInst.exe (PID: 3176)
- DrvInst.exe (PID: 2472)
- DrvInst.exe (PID: 3932)
- DrvInst.exe (PID: 3020)
- DrvInst.exe (PID: 2340)
- DrvInst.exe (PID: 2856)
- DrvInst.exe (PID: 3964)
- DrvInst.exe (PID: 3192)
- DrvInst.exe (PID: 3344)
- DrvInst.exe (PID: 4008)
- DrvInst.exe (PID: 2024)
- DrvInst.exe (PID: 3572)
- DrvInst.exe (PID: 3536)
- DrvInst.exe (PID: 3924)
- DrvInst.exe (PID: 3312)
- DrvInst.exe (PID: 3076)
- DrvInst.exe (PID: 2256)
- DrvInst.exe (PID: 2860)
- DrvInst.exe (PID: 1708)
- DrvInst.exe (PID: 3256)
- DrvInst.exe (PID: 1384)
- DrvInst.exe (PID: 2332)
- DrvInst.exe (PID: 280)
- DrvInst.exe (PID: 3552)
- DrvInst.exe (PID: 364)
- DrvInst.exe (PID: 4056)
- DrvInst.exe (PID: 2596)
- DrvInst.exe (PID: 2144)
- DrvInst.exe (PID: 2904)
- DrvInst.exe (PID: 1908)
- DrvInst.exe (PID: 1176)
- DrvInst.exe (PID: 3160)
- DrvInst.exe (PID: 3052)
- DrvInst.exe (PID: 2064)
- DrvInst.exe (PID: 3468)
- DrvInst.exe (PID: 3776)
- DrvInst.exe (PID: 3940)
- DrvInst.exe (PID: 3604)
- DrvInst.exe (PID: 3024)
- DrvInst.exe (PID: 3752)
- DrvInst.exe (PID: 2412)
- DrvInst.exe (PID: 2156)
- DrvInst.exe (PID: 3672)
- DrvInst.exe (PID: 1040)
- DrvInst.exe (PID: 2456)
- DrvInst.exe (PID: 2148)
- DrvInst.exe (PID: 1140)
- DrvInst.exe (PID: 2532)
- DrvInst.exe (PID: 1888)
- DrvInst.exe (PID: 2712)
- DrvInst.exe (PID: 2636)
- DrvInst.exe (PID: 3392)
- DrvInst.exe (PID: 3876)
- DrvInst.exe (PID: 2772)
- DrvInst.exe (PID: 2244)
- DrvInst.exe (PID: 672)
- DrvInst.exe (PID: 4036)
Starts Microsoft Installer
- irsetup.exe (PID: 2716)
- irsetup.exe (PID: 3536)
INFO
Changes settings of System certificates
- DrvInst.exe (PID: 2736)
- DrvInst.exe (PID: 312)
- DrvInst.exe (PID: 2996)
Application launched itself
- msiexec.exe (PID: 2700)
Starts application with an unusual extension
- msiexec.exe (PID: 2700)
Creates a software uninstall entry
- msiexec.exe (PID: 2700)
Low-level read access rights to disk partition
- vssvc.exe (PID: 1744)
Creates files in the program directory
- msiexec.exe (PID: 2700)
Adds / modifies Windows certificates
- DrvInst.exe (PID: 312)
- DrvInst.exe (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (76) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.6) |
| .exe | | | Generic Win/DOS Executable (5.6) |
| .exe | | | DOS Executable Generic (5.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:02:11 12:20:32+01:00 |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 7872512 |
| InitializedDataSize: | 86016 |
| UninitializedDataSize: | 20312064 |
| EntryPoint: | 0x1ae1360 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.46.1217.0 |
| ProductVersionNumber: | 2.46.1217.0 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Euroserver Sro. |
| FileDescription: | Chimera mobile tool installer |
| InternalName: | chimeraInstaller |
| LegalCopyright: | Copyright (C) 2016 Euroserver Sro. |
| OriginalFileName: | ChimeraInstaller.exe |
| ProductName: | Chimera Installer |
| FileVersion: | 2, 46, 1217, 0 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 11-Feb-2019 11:20:32 |
| Detected languages: |
|
| CompanyName: | Euroserver Sro. |
| FileDescription: | Chimera mobile tool installer |
| FileVersion: | 2, 46, 1217, 0 |
| InternalName: | chimeraInstaller |
| LegalCopyright: | Copyright (C) 2016 Euroserver Sro. |
| OriginalFilename: | ChimeraInstaller.exe |
| ProductName: | Chimera Installer |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000138 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 11-Feb-2019 11:20:32 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x0135F000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x01360000 | 0x00782000 | 0x00782000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99998 |
.rsrc | 0x01AE2000 | 0x00015000 | 0x00014E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.40807 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.89623 | 392 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.42291 | 9640 | UNKNOWN | English - United States | RT_ICON |
3 | 3.90194 | 4264 | UNKNOWN | English - United States | RT_ICON |
4 | 3.77437 | 1128 | UNKNOWN | English - United States | RT_ICON |
IDI_ICON1 | 2.65982 | 62 | UNKNOWN | English - United States | RT_GROUP_ICON |
Imports
ADVAPI32.dll |
CRYPT32.dll |
GDI32.dll |
IMM32.dll |
IPHLPAPI.DLL |
KERNEL32.DLL |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
UxTheme.dll |
Total processes
253
Monitored processes
205
Malicious processes
81
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 128 | "C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\dpinst.exe" /SW /D /U "C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\ssadsdm2.inf" | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\dpinst.exe | — | irsetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Driver Package Installer Exit code: 2147483648 Version: 2.1 Modules
| |||||||||||||||
| 184 | rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{87c011d8-938f-4017-a0ac-6fb266484dc2} "(null)" | C:\Windows\system32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 280 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{3314479a-be0a-3987-9968-ed462c294b02}\lgandnetndis.inf" "0" "68cbafc27" "000003A8" "WinSta0\Default" "0000053C" "208" "C:\Program Files\LG Electronics\LG Mobile Drivers\NDIS62" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 280 | "C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\dpinst.exe" /SW /D /U "C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\ssudrnds.inf" | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\dpinst.exe | — | irsetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Driver Package Installer Exit code: 2147483648 Version: 2.1 Modules
| |||||||||||||||
| 312 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{03e4bc51-7afb-6efc-b6c3-0f39895a7e6d}\raakcrdmx.inf" "0" "69df85893" "000005C4" "WinSta0\Default" "000004D8" "208" "c:\users\admin\appdata\local\temp\_ir_sf_temp_0\smartcard\sc_card" | C:\Windows\system32\DrvInst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 348 | C:\Windows\system32\MsiExec.exe -Embedding A0DE5447C427C03D03D91781B631BB5E | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 364 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{7dede327-ba4f-7a92-268b-507766d2135f}\lgandnetrndis.inf" "0" "63ec36b27" "0000053C" "WinSta0\Default" "000003D4" "208" "C:\Program Files\LG Electronics\LG Mobile Drivers" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 656 | "C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\vcredist_x86.exe" /q | C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\vcredist_x86.exe | irsetup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Visual C++ 2010 x86 Redistributable Setup Exit code: 5100 Version: 10.0.30319.01 Modules
| |||||||||||||||
| 672 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{43ab5bd7-d3e9-7de6-e95a-061b6d157c5f}\ssudserd.inf" "0" "62cc9ad33" "000003A8" "WinSta0\Default" "000002A8" "208" "c:\users\admin\appdata\local\temp\_ir_sf_temp_0" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 700 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot21" "" "" "6f9bf5bcb" "00000000" "000005F4" "000005F0" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
9 979
Read events
6 345
Write events
3 601
Delete events
33
Modification events
| (PID) Process: | (1812) ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\3F369FEC1EA4B285A44F3AD935922B152D7C68AC |
| Operation: | write | Name: | Blob |
Value: 0300000001000000140000003F369FEC1EA4B285A44F3AD935922B152D7C68AC2000000001000000640500003082056030820448A003020102020900B9A5E5882CA0467A300D06092A864886F70D01010505003081DC310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C6531253023060355040A131C537461726669656C6420546563686E6F6C6F676965732C20496E632E31393037060355040B1330687474703A2F2F6365727469666963617465732E737461726669656C64746563682E636F6D2F7265706F7369746F72793131302F06035504031328537461726669656C64205365637572652043657274696669636174696F6E20417574686F726974793111300F060355040513083130363838343335301E170D3135313230343038303033385A170D3138303932383138323534325A3061310B300906035504061302534B311830160603550407130F44756E616A736B6120537472656461311B3019060355040A13124575726F2D53657276657220732E722E6F2E311B3019060355040313124575726F2D53657276657220732E722E6F2E30820122300D06092A864886F70D01010105000382010F003082010A0282010100DAF719B5B3530BB03D6BB53CACD4FE8B573F94035A796E2C2FAA27EA7DFA8E3CDFE843FB596524F9A153A4C8E6C0745F213674312132944B135C2FC53BCC6801692427FA4925089884F24970170F0CC85C824CF31B953E46CEB7D910684337FD0BCE11E58BF527B815AB2463CDD9012612DE483CA679B33CA41B0D985F5ED7A7871931AF6CAE28B53696903FD8CD6AC32A50213EC192FDFB127EE873C7482478626CC9025089DE21A60396492FE871765B58E5265BB09158AE7CDB9C493420145DB92E53F26275B62602C0B8B94C8148A6A97B30FA68B2D0E865D9C80E69D0DB63EFDB9413705216C17D8E661AECAF121778115DB709839A4102334880D36FC10203010001A382019D30820199300C0603551D130101FF0402300030130603551D25040C300A06082B06010505070303300E0603551D0F0101FF04040302078030390603551D1F04323030302EA02CA02A8628687474703A2F2F63726C2E737461726669656C64746563682E636F6D2F736673352D31362E63726C30590603551D2004523050304E060B6086480186FD6E01071702303F303D06082B060105050702011631687474703A2F2F6365727469666963617465732E737461726669656C64746563682E636F6D2F7265706F7369746F72792F30818D06082B06010505070101048180307E302A06082B06010505073001861E687474703A2F2F6F6373702E737461726669656C64746563682E636F6D2F305006082B060105050730028644687474703A2F2F6365727469666963617465732E737461726669656C64746563682E636F6D2F7265706F7369746F72792F73665F696E7465726D6564696174652E637274301F0603551D23041830168014494B5227D11BBCF2A1216A627B51427A8AD7D556301D0603551D0E04160414EDE79531901B916A183A6DA721AEB6C10E0965FF300D06092A864886F70D010105050003820101009B9545C0C75B4BC3E9CD82632781066973F7B0D6B9B054329F19518E75692963B629E8F8454199F3D28BE28C718F7ABA36FB534427D84945527D2843936433091B6D12C9792364ADE245E20D1A4E18AE88F31CB210AF70AB5AF0718BC71417A062EF696EF77F350639220F7161EDE483AE7B0038D282429768991D5479B7ACB90C66D6C3631149755345436A2675934C21EEF2D1014D8E6CC16FE9D775D28648A5A0FC7004D6ABC9466F7A7B89FD94C8F1963596E7CDFC4520A3393A3E1381CCD128B2A480EB31CB1081864FB7CDDCA58D8BD2B8F051F4F0614A4E5498B4FE56B3CD74BFF624208010EC1E42DF7201AFE91DF95EC826C5481F6EF0E657ED5479 | |||
| (PID) Process: | (1812) ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\A7E3A467024FFA1DCE74842C491E6BBAAE6123C7 |
| Operation: | write | Name: | Blob |
Value: 030000000100000014000000A7E3A467024FFA1DCE74842C491E6BBAAE6123C72000000001000000440500003082054030820428A00302010202084907C25D92D984EF300D06092A864886F70D01010B05003081C6310B30090603550406130255533110300E060355040813074172697A6F6E61311330110603550407130A53636F74747364616C6531253023060355040A131C537461726669656C6420546563686E6F6C6F676965732C20496E632E31333031060355040B132A687474703A2F2F63657274732E737461726669656C64746563682E636F6D2F7265706F7369746F72792F313430320603550403132B537461726669656C642053656375726520436572746966696361746520417574686F72697479202D204732301E170D3135313230343038303033385A170D3138303932383138323534325A3061310B300906035504061302534B311830160603550407130F44756E616A736B6120537472656461311B3019060355040A13124575726F2D53657276657220732E722E6F2E311B3019060355040313124575726F2D53657276657220732E722E6F2E30820122300D06092A864886F70D01010105000382010F003082010A0282010100DAF719B5B3530BB03D6BB53CACD4FE8B573F94035A796E2C2FAA27EA7DFA8E3CDFE843FB596524F9A153A4C8E6C0745F213674312132944B135C2FC53BCC6801692427FA4925089884F24970170F0CC85C824CF31B953E46CEB7D910684337FD0BCE11E58BF527B815AB2463CDD9012612DE483CA679B33CA41B0D985F5ED7A7871931AF6CAE28B53696903FD8CD6AC32A50213EC192FDFB127EE873C7482478626CC9025089DE21A60396492FE871765B58E5265BB09158AE7CDB9C493420145DB92E53F26275B62602C0B8B94C8148A6A97B30FA68B2D0E865D9C80E69D0DB63EFDB9413705216C17D8E661AECAF121778115DB709839A4102334880D36FC10203010001A382019430820190300C0603551D130101FF0402300030130603551D25040C300A06082B06010505070303300E0603551D0F0101FF040403020780303B0603551D1F043430323030A02EA02C862A687474703A2F2F63726C2E737461726669656C64746563682E636F6D2F736669673273352D302E63726C30590603551D2004523050304E060B6086480186FD6E01071702303F303D06082B060105050702011631687474703A2F2F6365727469666963617465732E737461726669656C64746563682E636F6D2F7265706F7369746F72792F30818206082B0601050507010104763074302A06082B06010505073001861E687474703A2F2F6F6373702E737461726669656C64746563682E636F6D2F304606082B06010505073002863A687474703A2F2F6365727469666963617465732E737461726669656C64746563682E636F6D2F7265706F7369746F72792F73666967322E637274301F0603551D23041830168014254581685026383D3B2D2CBECD6AD9B63DB36663301D0603551D0E04160414EDE79531901B916A183A6DA721AEB6C10E0965FF300D06092A864886F70D01010B05000382010100173D1E411D7A14AF3BBD8E45193F03F8120BEA70BC00006CF270E468FE0F24777BA3FF27A60740A2D804CC7901BAF8BFE20E98FF9DEB77DA2FE286C63AB3ACD1EB3E01CAC5D83C83E4E4B978B7001C2D5F7417BF12D24C28B4ED48A0D1A65CD624968A7FE3B85775C3DF3FD859DE59F5638691439224BCF58D1FF8F817383280800B96AC466281BB6993DECB1AE857981A63CE90958D30B296DA4392AE64AA964E11CB03CB4C37650DB70BFE5E5BE2F689CD93685439E33E08363830B06FD39933388E0EB397165322A2BD11C2AF29AD46B209229EF9EBE777965E18953C733AB655AF856C43CE080755DBAF1FF92929629FF620E7232FC5E4B2BCC4748A7F13 | |||
| (PID) Process: | (1812) ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | |||
| (PID) Process: | (3804) b1a0d51eeb0b96e443ffd0da6881a9862bca9594.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3804) b1a0d51eeb0b96e443ffd0da6881a9862bca9594.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (1960) irsetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000C748AF8936DCD401A8070000C80A0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1960) irsetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4000000000000000C748AF8936DCD401A8070000C80A0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1960) irsetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 20 | |||
| (PID) Process: | (1960) irsetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGatherWriterMetadata (Enter) |
Value: 40000000000000006B27528A36DCD401A8070000C80A0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1960) irsetup.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000F9D65B8A36DCD401A8070000040F0000E80300000100000000000000000000002B183CB0BBF2234FA0D92BB16BC7D1AC0000000000000000 | |||
Executable files
278
Suspicious files
465
Text files
448
Unknown types
191
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\619572f4c59c16656b0e91e66eead08b0e301f06.jsc.Hp1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\2957889c4d99155aef8c1588bac9d45b5885decc.qmlc.gq1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\0bd5cf23c1a78fdd98ccbf96a05645392c65305c.qmlc.Uh1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\ac4358be4e9a3cdeb4a8e1d576ec478aa216e9b9.qmlc.em1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\116d9014284e9a310aa20bd041d1b09d87828908.qmlc.Ya1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\9779a7429fce2510e47ce1a9b32b01bfc446a599.jsc.Nl1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\9764a0cf7398d05f1f046dc0c358adf765f28657.jsc.fl1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\e4ef80837691d5be54fee0047ddf51951a963467.jsc.Xd1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\0c2d95c87a236693664d20d984984588e966f794.qmlc.if1812 | — | |
MD5:— | SHA256:— | |||
| 1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | C:\Users\admin\AppData\Local\ChimeraInstaller\cache\qmlcache\c45e0a706eb6ccbb094e556ff56d02266ca8f60c.qmlc.cr1812 | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
62
DNS requests
9
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | 104.20.78.245:443 | chimeratool.com | Cloudflare Inc | US | shared |
1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | 104.20.77.245:443 | chimeratool.com | Cloudflare Inc | US | shared |
1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | 104.20.143.39:443 | data.chimeratool.com | Cloudflare Inc | US | shared |
1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | 104.20.142.39:443 | data.chimeratool.com | Cloudflare Inc | US | shared |
1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | 172.217.18.112:443 | storage.googleapis.com | Google Inc. | US | whitelisted |
1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | 162.125.72.6:443 | dl.dropboxusercontent.com | Dropbox, Inc. | US | suspicious |
1812 | ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | 162.125.66.6:443 | dl.dropboxusercontent.com | Dropbox, Inc. | DE | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
chimeratool.com |
| whitelisted |
data.chimeratool.com |
| unknown |
storage.googleapis.com |
| whitelisted |
dl.dropboxusercontent.com |
| shared |
Threats
Process | Message |
|---|---|
ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | Failed to load libEGL (The specified module could not be found.)
|
ChimeraInstaller.FARHAZ MOBILE SOFTWARE.exe | QWindowsEGLStaticContext::doTest: Failed to load and resolve libEGL functions
|
Setup.exe | A StopBlock was hit or a System Requirement was not met. |
ExeInvoker.exe | **** ExeInvoker *****
|
UninstallShld.exe | bProductFound 0
|
UninstallShld.exe | bProductFound 0
|
UninstallShld.exe | bProductFound 0
|
UninstallShld.exe | bProductFound 0
|
UninstallShld.exe | bProductFound 0
|
ExeLauncher.exe | **** Install Launcher *****
|