Loading ...

Play interactive tourEdit tour

Analysis Report FYI.exe

Overview

General Information

Sample Name:FYI.exe
Analysis ID:339364
MD5:4768fad22f989c9ac940775ca46f91f6
SHA1:78f2e47fbcd50d77b8c0ea5e07209a2b1a79c45e
SHA256:275b79db451178b96e4872f9164b8b89f25a5f22ff8ba5f983d555cb3972a95d
Tags:exe

Most interesting Screenshot:

Detection

AgentTesla
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains potential unpacker
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • FYI.exe (PID: 7132 cmdline: 'C:\Users\user\Desktop\FYI.exe' MD5: 4768FAD22F989C9AC940775CA46F91F6)
    • WerFault.exe (PID: 4832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1160 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: FYI.exe PID: 7132JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: FYI.exe PID: 7132JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: FYI.exeVirustotal: Detection: 28%Perma Link
          Source: FYI.exeReversingLabs: Detection: 13%
          Machine Learning detection for sampleShow sources
          Source: FYI.exeJoe Sandbox ML: detected
          Source: FYI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: FYI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: dwmapi.pdb4 source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.354264046.00000000007BF000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: ml.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: bcrypt.pdb& source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: ility.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.354375862.00000000007C4000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: ole32.pdbp source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: ility.pdbn source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: rsaenh.pdb> source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: ~IC:\Users\user\Desktop\FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
          Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
          Source: Binary string: clrjit.pdbD source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdbH source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdbv source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
          Source: Binary string: FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
          Source: Binary string: WLDP.pdb\ source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb* source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.354264046.00000000007BF000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER7630.tmp.dmp.4.dr
          Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: System.Drawing.pdb`i source: WER7630.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER7630.tmp.dmp.4.dr
          Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbz source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdbN source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.354082981.00000000007B3000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
          Source: Binary string: clrjit.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\Desktop\FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
          Source: Binary string: wUxTheme.pdb8 source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: System.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: ore.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdbt source: WER7630.tmp.dmp.4.dr
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: powrprof.pdbl source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.354375862.00000000007C4000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.pdbP source: WER7630.tmp.dmp.4.dr
          Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: j,C:\Windows\System.pdb source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000004.00000003.358763831.0000000004FE0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: FYI.exe, 00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
          Source: C:\Users\user\Desktop\FYI.exeCode function: 0_2_001A90130_2_001A9013
          Source: C:\Users\user\Desktop\FYI.exeCode function: 0_2_00A2C62C0_2_00A2C62C
          Source: C:\Users\user\Desktop\FYI.exeCode function: 0_2_00A2E8A00_2_00A2E8A0
          Source: C:\Users\user\Desktop\FYI.exeCode function: 0_2_00A2E8900_2_00A2E890
          Source: C:\Users\user\Desktop\FYI.exeCode function: 0_2_057B491D0_2_057B491D
          Source: C:\Users\user\Desktop\FYI.exeCode function: 0_2_057B0BD80_2_057B0BD8
          Source: C:\Users\user\Desktop\FYI.exeCode function: 0_2_057B0BC90_2_057B0BC9
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1160
          Source: FYI.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: FYI.exe, 00000000.00000000.335501038.000000000027F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameELEMDESC.exe@ vs FYI.exe
          Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs FYI.exe
          Source: FYI.exe, 00000000.00000002.420908205.0000000005720000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs FYI.exe
          Source: FYI.exe, 00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemtIhhvyBlBQJqvuFVfaUQvZuNNNzVTchmZnhg.exe4 vs FYI.exe
          Source: FYI.exeBinary or memory string: OriginalFilenameELEMDESC.exe@ vs FYI.exe
          Source: FYI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: classification engineClassification label: mal76.troj.evad.winEXE@2/4@0/1
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7132
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER7630.tmpJump to behavior
          Source: FYI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\FYI.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: FYI.exeVirustotal: Detection: 28%
          Source: FYI.exeReversingLabs: Detection: 13%
          Source: C:\Users\user\Desktop\FYI.exeFile read: C:\Users\user\Desktop\FYI.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\FYI.exe 'C:\Users\user\Desktop\FYI.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 1160
          Source: C:\Users\user\Desktop\FYI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\FYI.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: FYI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: FYI.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: dwmapi.pdb4 source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.354264046.00000000007BF000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: ml.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: bcrypt.pdb& source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdb" source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: ility.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.354375862.00000000007C4000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: ole32.pdbp source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: ility.pdbn source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: rsaenh.pdb> source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: ~IC:\Users\user\Desktop\FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
          Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
          Source: Binary string: clrjit.pdbD source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdbR source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdbH source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdbv source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
          Source: Binary string: FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
          Source: Binary string: WLDP.pdb\ source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb* source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdb source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.354264046.00000000007BF000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER7630.tmp.dmp.4.dr
          Source: Binary string: Accessibility.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: System.Drawing.pdb`i source: WER7630.tmp.dmp.4.dr
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER7630.tmp.dmp.4.dr
          Source: Binary string: Accessibility.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdbz source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Drawing.pdb" source: WerFault.exe, 00000004.00000003.360659515.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: gdiplus.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdbN source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.354082981.00000000007B3000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER7630.tmp.dmp.4.dr
          Source: Binary string: clrjit.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\Desktop\FYI.PDB source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
          Source: Binary string: wUxTheme.pdb8 source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: System.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: ore.pdb source: WerFault.exe, 00000004.00000003.360647312.0000000004D79000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.360760457.0000000004D60000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdbt source: WER7630.tmp.dmp.4.dr
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.360694227.0000000004D91000.00000004.00000001.sdmp
          Source: Binary string: powrprof.pdbl source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.354375862.00000000007C4000.00000004.00000001.sdmp
          Source: Binary string: System.Xml.pdbP source: WER7630.tmp.dmp.4.dr
          Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: combase.pdbk source: WerFault.exe, 00000004.00000003.360735291.0000000004D64000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: j,C:\Windows\System.pdb source: FYI.exe, 00000000.00000002.411046230.00000000006F8000.00000004.00000010.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000004.00000002.406566000.00000000054E0000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000004.00000003.360654287.0000000004D61000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp, WER7630.tmp.dmp.4.dr
          Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.360739943.0000000004D67000.00000004.00000040.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: FYI.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.FYI.exe.1a0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.FYI.exe.1a0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: initial sampleStatic PE information: section name: .text entropy: 7.25136431131
          Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: FYI.exe PID: 7132, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Source: C:\Users\user\Desktop\FYI.exe TID: 7136Thread sleep time: -51794s >= -30000sJump to behavior
          Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: WerFault.exe, 00000004.00000002.404661045.0000000004AB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: WerFault.exe, 00000004.00000002.404531746.0000000004867000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: WerFault.exe, 00000004.00000003.370449184.00000000048D4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
          Source: WerFault.exe, 00000004.00000002.404661045.0000000004AB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: WerFault.exe, 00000004.00000002.404661045.0000000004AB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: FYI.exe, 00000000.00000002.415958937.0000000002661000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: WerFault.exe, 00000004.00000002.404661045.0000000004AB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\FYI.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeQueries volume information: C:\Users\user\Desktop\FYI.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\FYI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: FYI.exe PID: 7132, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected AgentTeslaShow sources
          Source: Yara matchFile source: 00000000.00000002.416956383.0000000003669000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: FYI.exe PID: 7132, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing11Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.