Source: 1.2.dktozm.exe.a20000.1.unpack |
Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "muhasebe@parkhotelizmir.com", "Password": "zHhYkTCp0(bk", "Host": "mail.parkhotelizmir.com"} |
Source: OR098765458900009876540.exe |
Virustotal: Detection: 28% |
Perma Link |
Source: OR098765458900009876540.exe |
ReversingLabs: Detection: 26% |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Virustotal: Detection: 40% |
Perma Link |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
ReversingLabs: Detection: 26% |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Virustotal: Detection: 40% |
Perma Link |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
ReversingLabs: Detection: 26% |
Source: OR098765458900009876540.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Joe Sandbox ML: detected |
Source: OR098765458900009876540.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: |
Binary string: C:\fhkoa\tmrvof\utxf\9028a39e21cc4788aca7630018f06cbf\jixuwv\evsohjmi\Release\evsohjmi.pdb source: OR098765458900009876540.exe, 00000000.00000002.269600052.000000000040B000.00000004.00000001.01000000.00000003.sdmp, OR098765458900009876540.exe, 00000000.00000002.269786138.0000000002734000.00000004.00000800.00020000.00000000.sdmp, dktozm.exe, 00000001.00000002.255310840.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000001.00000002.255152045.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, dktozm.exe, 00000001.00000000.250355664.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000002.00000002.512729465.000000000117B000.00000002.00000001.01000000.00000004.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.271738739.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.292788386.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.291649043.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.288899385.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, dktozm.exe.0.dr, nsa28F1.tmp.0.dr, vxmtbmahtsqaf.exe.1.dr |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_00405426 |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, |
0_2_00405D9C |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_004026A1 FindFirstFileA, |
0_2_004026A1 |
Source: Yara match |
File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE |
Source: dktozm.exe, 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: dktozm.exe, 00000001.00000002.255049339.00000000006BA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00404FDD |
Source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE |
Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen |
Source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE |
Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen |
Source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE |
Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen |
Source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen |
Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen |
Source: OR098765458900009876540.exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload |
Source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload |
Source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload |
Source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload |
Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 636 |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, |
0_2_004032FA |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_004047EE |
0_2_004047EE |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00406083 |
0_2_00406083 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01177444 |
1_2_01177444 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01176960 |
1_2_01176960 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01177444 |
1_2_01177444 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01176960 |
1_2_01176960 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01177444 |
1_2_01177444 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01174A4E |
1_2_01174A4E |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01174A4E |
1_2_01174A4E |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_0117967D |
1_2_0117967D |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_011786B1 |
1_2_011786B1 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01176ED2 |
1_2_01176ED2 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_00A10C26 |
1_2_00A10C26 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E27444 |
5_2_00E27444 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E26960 |
5_2_00E26960 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E27444 |
5_2_00E27444 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E26960 |
5_2_00E26960 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E27444 |
5_2_00E27444 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E26ED2 |
5_2_00E26ED2 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E286B1 |
5_2_00E286B1 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E2967D |
5_2_00E2967D |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E24A4E |
5_2_00E24A4E |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E24A4E |
5_2_00E24A4E |
Source: OR098765458900009876540.exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: OR098765458900009876540.exe |
Virustotal: Detection: 28% |
Source: OR098765458900009876540.exe |
ReversingLabs: Detection: 26% |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
File read: C:\Users\user\Desktop\OR098765458900009876540.exe |
Jump to behavior |
Source: OR098765458900009876540.exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\OR098765458900009876540.exe "C:\Users\user\Desktop\OR098765458900009876540.exe" |
|
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh |
|
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe "C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe" |
|
Source: unknown |
Process created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe "C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe" |
|
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 636 |
|
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 176 |
|
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh |
Jump to behavior |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
File created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg |
Jump to behavior |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
File created: C:\Users\user\AppData\Local\Temp\nsa28F0.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@9/13@0/0 |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar, |
0_2_00402078 |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, |
0_2_00404333 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6584 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6776 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Command line argument: & |
5_2_00E22640 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: |
Binary string: C:\fhkoa\tmrvof\utxf\9028a39e21cc4788aca7630018f06cbf\jixuwv\evsohjmi\Release\evsohjmi.pdb source: OR098765458900009876540.exe, 00000000.00000002.269600052.000000000040B000.00000004.00000001.01000000.00000003.sdmp, OR098765458900009876540.exe, 00000000.00000002.269786138.0000000002734000.00000004.00000800.00020000.00000000.sdmp, dktozm.exe, 00000001.00000002.255310840.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000001.00000002.255152045.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, dktozm.exe, 00000001.00000000.250355664.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000002.00000002.512729465.000000000117B000.00000002.00000001.01000000.00000004.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.271738739.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.292788386.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.291649043.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.288899385.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, dktozm.exe.0.dr, nsa28F1.tmp.0.dr, vxmtbmahtsqaf.exe.1.dr |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_0116F115 push ecx; ret |
1_2_0116F128 |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E1F115 push ecx; ret |
5_2_00E1F128 |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress, |
0_2_00405DDA |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
File created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
File created: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Jump to dropped file |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xnfumqdlkjxkua |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xnfumqdlkjxkua |
Jump to behavior |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Evasive API call chain: GetPEB, DecisionNodes, ExitProcess |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
API coverage: 2.6 % |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, |
0_2_00405426 |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, |
0_2_00405D9C |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_004026A1 FindFirstFileA, |
0_2_004026A1 |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_0116E981 _memset,IsDebuggerPresent, |
1_2_0116E981 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_01174475 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, |
1_2_01174475 |
Source: C:\Users\user\Desktop\OR098765458900009876540.exe |
Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress, |
0_2_00405DDA |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_0117546A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, |
1_2_0117546A |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_00A106F7 mov eax, dword ptr fs:[00000030h] |
1_2_00A106F7 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_00A1061D mov eax, dword ptr fs:[00000030h] |
1_2_00A1061D |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_00A103F8 mov eax, dword ptr fs:[00000030h] |
1_2_00A103F8 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_00A10736 mov eax, dword ptr fs:[00000030h] |
1_2_00A10736 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_00A10772 mov eax, dword ptr fs:[00000030h] |
1_2_00A10772 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_0117159B SetUnhandledExceptionFilter, |
1_2_0117159B |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_011715CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
1_2_011715CC |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E215CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
5_2_00E215CC |
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe |
Code function: 5_2_00E2159B SetUnhandledExceptionFilter, |
5_2_00E2159B |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh |
Jump to behavior |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_0116FF53 cpuid |
1_2_0116FF53 |
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe |
Code function: 1_2_011710C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
1_2_011710C8 |
Source: Yara match |
File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: dktozm.exe PID: 6336, type: MEMORYSTR |
Source: Yara match |
File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: dktozm.exe PID: 6336, type: MEMORYSTR |