Edit tour

Windows Analysis Report
OR098765458900009876540.exe

Overview

General Information

Sample Name:	OR098765458900009876540.exe
Analysis ID:	635066
MD5:	cb490dd90ce8d9d11aadb9765abbe5e5
SHA1:	1557b8f1f9c2879a8de75689530f78d796d8fc04
SHA256:	c0f90aecb695c93c21e13bbb346f794928bd4dfdde1c3c88c70f62acaf1d368e
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Yara detected Generic Downloader

Machine Learning detection for dropped file

Uses 32bit PE files

Yara signature match

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

OR098765458900009876540.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\OR098765458900009876540.exe" MD5: CB490DD90CE8D9D11AADB9765ABBE5E5)

dktozm.exe (PID: 6336 cmdline: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh MD5: 685EB78DF42DD988151ECF00D69BBBF8)

dktozm.exe (PID: 6372 cmdline: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh MD5: 685EB78DF42DD988151ECF00D69BBBF8)

vxmtbmahtsqaf.exe (PID: 6584 cmdline: "C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe" MD5: 685EB78DF42DD988151ECF00D69BBBF8)

WerFault.exe (PID: 6056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

vxmtbmahtsqaf.exe (PID: 6776 cmdline: "C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe" MD5: 685EB78DF42DD988151ECF00D69BBBF8)

WerFault.exe (PID: 3976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 176 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "muhasebe@parkhotelizmir.com", "Password": "zHhYkTCp0(bk", "Host": "mail.parkhotelizmir.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x423c7:$s1: get_kbok 0x42d1c:$s2: get_CHoo 0x43977:$s3: set_passwordIsSet 0x421cb:$s4: get_enableLog 0x46893:$s8: torbrowser 0x4526f:$s10: logins 0x44be7:$s11: credential 0x415b7:$g1: get_Clipboard 0x415c5:$g2: get_Keyboard 0x415d2:$g3: get_Password 0x42bca:$g4: get_CtrlKeyDown 0x42bda:$g5: get_ShiftKeyDown 0x42beb:$g6: get_AltKeyDown
Process Memory Space: dktozm.exe PID: 6336	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.dktozm.exe.a31658.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.dktozm.exe.a31658.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.dktozm.exe.a31658.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.dktozm.exe.a31658.0.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d6f:$s1: get_kbok 0x316c4:$s2: get_CHoo 0x3231f:$s3: set_passwordIsSet 0x30b73:$s4: get_enableLog 0x3523b:$s8: torbrowser 0x33c17:$s10: logins 0x3358f:$s11: credential 0x2ff5f:$g1: get_Clipboard 0x2ff6d:$g2: get_Keyboard 0x2ff7a:$g3: get_Password 0x31572:$g4: get_CtrlKeyDown 0x31582:$g5: get_ShiftKeyDown 0x31593:$g6: get_AltKeyDown
1.2.dktozm.exe.a31658.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.dktozm.exe.a31658.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.dktozm.exe.a31658.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x2ef6f:$s1: get_kbok 0x2f8c4:$s2: get_CHoo 0x3051f:$s3: set_passwordIsSet 0x2ed73:$s4: get_enableLog 0x3343b:$s8: torbrowser 0x31e17:$s10: logins 0x3178f:$s11: credential 0x2e15f:$g1: get_Clipboard 0x2e16d:$g2: get_Keyboard 0x2e17a:$g3: get_Password 0x2f772:$g4: get_CtrlKeyDown 0x2f782:$g5: get_ShiftKeyDown 0x2f793:$g6: get_AltKeyDown
1.2.dktozm.exe.a20000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.dktozm.exe.a20000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.dktozm.exe.a20000.1.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x3f9c7:$s1: get_kbok 0x4031c:$s2: get_CHoo 0x40f77:$s3: set_passwordIsSet 0x3f7cb:$s4: get_enableLog 0x43e93:$s8: torbrowser 0x4286f:$s10: logins 0x421e7:$s11: credential 0x3ebb7:$g1: get_Clipboard 0x3ebc5:$g2: get_Keyboard 0x3ebd2:$g3: get_Password 0x401ca:$g4: get_CtrlKeyDown 0x401da:$g5: get_ShiftKeyDown 0x401eb:$g6: get_AltKeyDown
1.2.dktozm.exe.a20000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.dktozm.exe.a20000.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
1.2.dktozm.exe.a20000.1.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x423c7:$s1: get_kbok 0x42d1c:$s2: get_CHoo 0x43977:$s3: set_passwordIsSet 0x421cb:$s4: get_enableLog 0x46893:$s8: torbrowser 0x4526f:$s10: logins 0x44be7:$s11: credential 0x415b7:$g1: get_Clipboard 0x415c5:$g2: get_Keyboard 0x415d2:$g3: get_Password 0x42bca:$g4: get_CtrlKeyDown 0x42bda:$g5: get_ShiftKeyDown 0x42beb:$g6: get_AltKeyDown
Click to see the 8 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.dktozm.exe.a20000.1.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "muhasebe@parkhotelizmir.com", "Password": "zHhYkTCp0(bk", "Host": "mail.parkhotelizmir.com"}

Multi AV Scanner detection for submitted file

Source: OR098765458900009876540.exe	Virustotal: Detection: 28%			Perma Link
Source: OR098765458900009876540.exe	ReversingLabs: Detection: 26%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Virustotal: Detection: 40%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Virustotal: Detection: 40%	Perma Link
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	ReversingLabs: Detection: 26%

Machine Learning detection for sample

Source: OR098765458900009876540.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Joe Sandbox ML: detected

Source: OR098765458900009876540.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\fhkoa\tmrvof\utxf\9028a39e21cc4788aca7630018f06cbf\jixuwv\evsohjmi\Release\evsohjmi.pdb source: OR098765458900009876540.exe, 00000000.00000002.269600052.000000000040B000.00000004.00000001.01000000.00000003.sdmp, OR098765458900009876540.exe, 00000000.00000002.269786138.0000000002734000.00000004.00000800.00020000.00000000.sdmp, dktozm.exe, 00000001.00000002.255310840.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000001.00000002.255152045.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, dktozm.exe, 00000001.00000000.250355664.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000002.00000002.512729465.000000000117B000.00000002.00000001.01000000.00000004.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.271738739.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.292788386.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.291649043.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.288899385.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, dktozm.exe.0.dr, nsa28F1.tmp.0.dr, vxmtbmahtsqaf.exe.1.dr

Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Code function: 0_2_004026A1 FindFirstFileA,

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE

Source: dktozm.exe, 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: dktozm.exe, 00000001.00000002.255049339.00000000006BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

Code function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Source: OR098765458900009876540.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 636

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

Code function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Code function: 0_2_004047EE
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Code function: 0_2_00406083
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_01177444
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_01176960
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_01177444
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_01176960
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_01177444
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_01174A4E
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_01174A4E
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_0117967D
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_011786B1
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_01176ED2
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_00A10C26
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E27444
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E26960
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E27444
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E26960
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E27444
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E26ED2
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E286B1
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E2967D
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E24A4E
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E24A4E

Source: OR098765458900009876540.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: OR098765458900009876540.exe	Virustotal: Detection: 28%
Source: OR098765458900009876540.exe	ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

File read: C:\Users\user\Desktop\OR098765458900009876540.exe

Jump to behavior

Source: OR098765458900009876540.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\OR098765458900009876540.exe "C:\Users\user\Desktop\OR098765458900009876540.exe"
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe "C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe "C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe"
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 636
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 176
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe

File created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg

Jump to behavior

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

File created: C:\Users\user\AppData\Local\Temp\nsa28F0.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/13@0/0

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

Code function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

Code function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6584
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6776

Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe

Command line argument: &

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_0116F115 push ecx; ret
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E1F115 push ecx; ret

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	File created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe			Jump to dropped file
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	File created: C:\Users\user\AppData\Local\Temp\dktozm.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xnfumqdlkjxkua			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xnfumqdlkjxkua			Jump to behavior

Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe

API coverage: 2.6 %

Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
Source: C:\Users\user\Desktop\OR098765458900009876540.exe	Code function: 0_2_004026A1 FindFirstFileA,

Source: C:\Users\user\Desktop\OR098765458900009876540.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe

Code function: 1_2_0116E981 _memset,IsDebuggerPresent,

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe

Code function: 1_2_01174475 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

Source: C:\Users\user\Desktop\OR098765458900009876540.exe

Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe

Code function: 1_2_0117546A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_00A106F7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_00A1061D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_00A103F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_00A10736 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_00A10772 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_0117159B SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe	Code function: 1_2_011715CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E215CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	Code function: 5_2_00E2159B SetUnhandledExceptionFilter,

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe

Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe

Code function: 1_2_0116FF53 cpuid

Source: C:\Users\user\AppData\Local\Temp\dktozm.exe

Code function: 1_2_011710C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dktozm.exe PID: 6336, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dktozm.exe PID: 6336, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	11 Process Injection	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
OR098765458900009876540.exe	29%	Virustotal		Browse
OR098765458900009876540.exe	27%	ReversingLabs	Win32.Trojan.AgentTesla
OR098765458900009876540.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\dktozm.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dktozm.exe	40%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\dktozm.exe	27%	ReversingLabs	Win32.Trojan.Jaik
C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	40%	Virustotal		Browse
C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe	27%	ReversingLabs	Win32.Trojan.Jaik

Source	Detection	Scanner	Label	Link
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	dktozm.exe, 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635066
Start date and time: 27/05/202212:12:20	2022-05-27 12:12:20 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 28s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	OR098765458900009876540.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@9/13@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 96.3% (good quality ratio 90.1%) Quality average: 78.1% Quality standard deviation: 29%
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.189.173.22, 52.152.110.14, 20.54.89.106, 40.125.122.176, 20.223.24.244, 52.242.101.226
Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, onedsblobprdwus17.westus.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
12:13:25	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run xnfumqdlkjxkua C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe
12:13:34	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run xnfumqdlkjxkua C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe
12:14:00	API Interceptor	2x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vxmtbmahtsqaf.ex_cb9e76617add17783445895d2c3df37ac7ad2b_79937427_0fb4cdeb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9311478251749132
Encrypted:	false
SSDEEP:	192:jsPMipweHv8ejcljb7aRq/u7sPS274Itd:APMipwWv8ejclj/P/u7sPX4Itd
MD5:	85F1C3E2A2BD3CC87CD6EE3DE8ACD1FC
SHA1:	31E9876651340526DF41D043D41B77E8387AD597
SHA-256:	E5618E7F21BE742EE2B66A2B5D8678B4993B2E82DCEFF0BDAA9E3EE3786BD1EF
SHA-512:	514729E7DD77686F0FE62791375E89B4B7FF8CC37DF479177581D1D9CC85D3BB7051DEFBA9DE44DE47FE0CAA4E98577990AE82C554CFC0003109F4DD566E2506
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.1.5.2.4.4.2.3.3.9.8.6.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.1.5.2.4.4.4.3.5.5.4.4.8.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.b.c.5.d.7.a.-.e.f.e.a.-.4.d.6.b.-.9.5.4.c.-.1.3.2.6.2.a.c.3.d.5.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.5.6.3.b.4.0.b.-.9.6.c.9.-.4.0.7.6.-.b.b.3.f.-.0.f.4.9.2.a.2.d.7.f.f.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.x.m.t.b.m.a.h.t.s.q.a.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.7.8.-.0.0.0.1.-.0.0.1.d.-.a.0.f.d.-.2.5.e.1.f.d.7.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.b.8.1.d.f.f.f.7.8.8.7.6.5.7.2.f.4.4.c.0.2.f.9.2.6.2.e.1.d.3.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.8.2.8.2.c.8.e.5.a.7.0.d.8.d.5.f.9.d.a.1.4.9.e.a.f.9.4.0.f.d.c.3.6.6.a.8.7.5.6.!.v.x.m.t.b.m.a.h.t.s.q.a.f...e.x.e.....T.a.r.g.e.t.A.p.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vxmtbmahtsqaf.ex_cb9e76617add17783445895d2c3df37ac7ad2b_79937427_1794bb3d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9380095501138146
Encrypted:	false
SSDEEP:	192:h7HG4MiPweHv8ejcljRkKDq/u7sPS274Itd:tHG4MiPwWv8ejcljTu/u7sPX4Itd
MD5:	B45E212FDB7EE4DB50E049AC0814264E
SHA1:	27E3D033E3DE5F302FF9004A17AFA8B5B8B4CCFF
SHA-256:	E1C6BBCB32E31C7EF7F08BFE1768E6C9CA785284A107842F3A2044C9BC547F42
SHA-512:	0C3EEC0B760572237F3EC21C9D0F26CE962DC69F45BD69725C31CD0E6B1A6BD80671BB9B61AB1B9836DD62DA7E5ECDECE35E7BF092809E11B482A3924D2D91A0
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.8.1.5.2.4.3.3.8.3.4.9.3.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.8.1.5.2.4.3.9.3.8.1.8.1.4.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.6.5.e.b.1.a.b.-.8.b.4.d.-.4.a.e.1.-.9.5.b.3.-.c.4.0.7.3.7.4.7.1.7.b.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.8.d.2.b.0.2.1.-.3.d.c.e.-.4.f.a.6.-.b.e.7.3.-.8.4.c.f.1.4.8.7.2.2.a.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.v.x.m.t.b.m.a.h.t.s.q.a.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.b.8.-.0.0.0.1.-.0.0.1.d.-.b.b.a.e.-.4.1.d.c.f.d.7.1.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.b.8.1.d.f.f.f.7.8.8.7.6.5.7.2.f.4.4.c.0.2.f.9.2.6.2.e.1.d.3.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.8.2.8.2.c.8.e.5.a.7.0.d.8.d.5.f.9.d.a.1.4.9.e.a.f.9.4.0.f.d.c.3.6.6.a.8.7.5.6.!.v.x.m.t.b.m.a.h.t.s.q.a.f...e.x.e.....T.a.r.g.e.t.A.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F88.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri May 27 19:13:54 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	47428
Entropy (8bit):	1.7821677765394452
Encrypted:	false
SSDEEP:	192:GxRgEbGlEyYjcQOcR1xTEVOBW2yIN5Zlo9AsDPp2eTGL:WKEyyzwczxTEVOB7yo5Zloi43Ts
MD5:	F7A76692998799979470CEC931C45034
SHA1:	B4F10A6BE024B3A2BEF30FE742DA3FAC51BE4D5B
SHA-256:	B25FE543B8D2DAF512C479772D276DE13AA195F7897145E6E1CFCB2D5381DC14
SHA-512:	C41A373713695FD97393F8A5F8DFA78F4F9866B5E35326BA73EC23E9975A72EDDF463C2F23734C058F6FF754E782D896120DCDB7BB62AB59BF85485616472BA0
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........".b........................................R0..........T.......8...........T...........8................................................................................................U...........B......P.......GenuineIntelW...........T............".b............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA536.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8408
Entropy (8bit):	3.69419278114427
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNieK6G56YWMSUyjrgmf3SccCpDgV89bqrsfo4um:RrlsNir6o6YNSUyPgmf3Sc7qwfoI
MD5:	E599241B68B02B574619755E424D0369
SHA1:	9EC429B845615F1441E0246ED9CAA3FAC6A1843E
SHA-256:	D71AB80C38DAF462C396486BB45260993F54DDFDA48F3EA78E6147B84A846E29
SHA-512:	AF88CACD4BAAC18AE84CED2CF9B016BCEB4B0D0111FFDDE2C1A34DB300B4F26EACA613187AC885CE9598F16432A7A9FE5A2A9E7BA0F116E34C9621791F5EB8CF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.8.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA19.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4685
Entropy (8bit):	4.430789063702757
Encrypted:	false
SSDEEP:	48:cvIwSD8zsoJgtWI9DLWgc8sqYjX8fm8M4Jv1FX+q8veEbFeGLKCvkd:uITfug6grsqYoJ/KnbFRL7vkd
MD5:	1816EDBA538B2E76FF10329EC3D6F6A9
SHA1:	215C8AF61A69A3831D84C31A787511EAD030A41C
SHA-256:	980E1913C733AFF961E8F9E9F83A506C60DE3688744FF4D33FE88C628DD7EBAE
SHA-512:	48EEAEFB5D3CB8A93829BE315F05DA8363CDD86E4DBE3BB27457F25D10C5EC45059D9E2E9C90ECC898383AE963BA8DF0105E9E88F7A9E27F2608F7C053C513CD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1533864" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0CB.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri May 27 19:14:03 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	38540
Entropy (8bit):	1.9579536066282275
Encrypted:	false
SSDEEP:	192:jkRZ6QB9dPeOIRiVA96qAdH7dv/7X8yLR4:oPLxPZIAVA96qAdH7dv/4
MD5:	933DFE279B92B4B539715271C1428B80
SHA1:	44B168FF2A0922AE28E5666CBAD0EAA2B44D63CC
SHA-256:	1E7B9E8242796B2B9617B106A3E7D894B70998503B8F4B2955B2B56C6B62DBF2
SHA-512:	8A6A6CB417AD858B1379705A5360733362099CED67E0C0B0601569198F0F53A7E9ADFE216C9E7C3BB88066C0EB917ABAA6B2DF0A4AE0D48F923B77D2365B901A
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........".b.........................................,..........T.......8...........T........... ...l~..........0................................................................................U...........B..............GenuineIntelW...........T.......x....".b............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5BE.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8410
Entropy (8bit):	3.6935135824172765
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipb6iV6YW/SUFQOgmf3SccCpDgcq89b+osf9Rqm:RrlsNil6iV6YuSUFQOgmf3SclT+bf99
MD5:	E9118A1901C356681D0B1467AE555510
SHA1:	86B3682858CFF23C0072A79844BF3C6AF807AFB4
SHA-256:	4057C7935F0F6E4DFFC68306BFF5970E67FD2437D328C1FA405F6B91AA3B0042
SHA-512:	43F03F0DF1690959A8533FD21B5FD0F081A9C9407C03D8B0CCB7CEE0BE61C36CFAD714A662463F52EEAF9B8FB9A80A4D4584B4941A73C89A1B168B7009236243
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.7.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC745.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4685
Entropy (8bit):	4.4327683606503605
Encrypted:	false
SSDEEP:	48:cvIwSD8zsoJgtWI9DLWgc8sqYjD8fm8M4Jv1FF+q8veJFeGLKCvgd:uITfug6grsqYsJ9K8FRL7vgd
MD5:	242123207DC4CB278704A0D068BD21E7
SHA1:	02087A9B0B4873D1039EC444062E2EFB216B9389
SHA-256:	4FE98854E7F0C473441C924E8AC95BCCF9FCEC1A593319D5F821B2838D16320E
SHA-512:	0E8E457BCB117C646153040249630BD01ACCEB7E8CCB01EA3BFA32D482DBA14A78C9830C0E78BD25A379A00595CCF0B38039D4EC7359A1474146269C2B924184
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1533864" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\dktozm.exe

Download File

Process:	C:\Users\user\Desktop\OR098765458900009876540.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	6.407323687210526
Encrypted:	false
SSDEEP:	1536:/VTOG+x8+YaGDARvmJVBqNvnlajcCOO0LdXU8JiA1OySuJuRqSnakMP1BOBYCH4E:wfbnR6BqNvncvhw4u+qSng1kGCUHt
MD5:	685EB78DF42DD988151ECF00D69BBBF8
SHA1:	D8282C8E5A70D8D5F9DA149EAF940FDC366A8756
SHA-256:	17B6C8284FCA1E77875DA1945DE13B20EF80E9422E2284EF6DC9FF1264A70D77
SHA-512:	C4EBB121602A484144DBDF4F23FB9093513BE870C04AAA082CDBF8C22583CDBF383669E483182CBCB7E6F94E225E68643553DABB3CDB9E3E6B80BE0D2284BD3D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 27%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..8.~ck.~ck.~ck.,.k.~ck.,.k.~ck.,.kp~ck..bj.~ck.~bk.~ck..gj.~ck...k.~ck..aj.~ckRich.~ck................PE..L....<.b............................w.............@..........................p............@.................................\|........P.......................`......x...T...........................0...@...............4............................text............................... ..`.rdata...P.......R..................@..@.data....1..........................@....rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hgwowmqnjcs91i7x

Download File

Process:	C:\Users\user\Desktop\OR098765458900009876540.exe
File Type:	data
Category:	dropped
Size (bytes):	293375
Entropy (8bit):	7.957092929980963
Encrypted:	false
SSDEEP:	6144:24KAZdkDQ6KmS+bPFFfuDDkLL90wa0rjHcXRvkm3RwxOZ7AeAKXyBJ92po:yAZCQfmS+bt5u8SHsLoRsmBIisSQJ95
MD5:	DA1FBC1E880C5844C5DE93D355DC623F
SHA1:	35902D81B16D200E9CAE241B133CE5C199566DC7
SHA-256:	8181B3C286A944B8949E3633E97D464F17F9C986160955065D65025A249F7C54
SHA-512:	0BD817CD578E8384C7829CBE62E0FDB59C77F048226D7927899C8886C05F242DC143A846EE90DCEFDEFB12E8E9FF1FC0461BFC2F01741C4CB80CB8FACCF08D5D
Malicious:	false
Reputation:	low
Preview:	.;(.M\]....:3..;9..6D.......A."}.H...}...v.......-fO.(..oF...s[\ a..3I..+y;....-6L..A.=..Z..Y-..Co...Z..4.\|..-..Gm.B....@..3.z..7.E.E..o.2.?3.).%..e.-j....+.$..b.~.+.Dv....`.\|.S...%r.n...].hq.L.....a.......T.&8Al9..A......X}......3.....6+j=.1.Y..=.].yS.Y}3.";9.j6..J.T.TA."..H...............-.O.0..o..wd.4 ...yq....Y.r2..?.3.Zr/....!"I..O....Ih.T......N...B.....>=.D..4...s.!H.Bp...6U3... .......CPaG].\.{t6.S.1...:GY`....`o.#.K...I......s........{..V.D..A P......N.5B...-.&.c....j=...Y.Ol\].1..Y.3.";9..6D.......A....A....G...........fO.(..o...d84......C.F.Y.eH...W3..r/.,...!.I..O..n.B....xx...N.q'#..8......`4...s>...Bp...6U.... .......CPaG].C...t6.S.1...:GY`....`o.#.K...IL.r...s.............D..A P......N.5B...-.&....6+j=..)Y.OM\]....Y}3.";9..6D.......A."}.H...}...v.......-fO.(..o...d84 ....q....Y.rP....3.Zr/.....!.I..O..n.I..T....4.N...B..........4...s>...Bp...6U3... .......CPaG].C...t6.S.1...:GY`....`o.#.K...IL.r...s.............D..A P..

C:\Users\user\AppData\Local\Temp\nsa28F1.tmp

Download File

Process:	C:\Users\user\Desktop\OR098765458900009876540.exe
File Type:	data
Category:	dropped
Size (bytes):	440782
Entropy (8bit):	7.672595381068025
Encrypted:	false
SSDEEP:	12288:FAZCQfmS+bt5u8SHsLoRsmBIisSQJ9PycWVJ:FAZVfmS+btM8pLo1BIis/
MD5:	35B2CAB2BB1FC169A7D95B88797261D5
SHA1:	C5B56CF62B59B5E57692791B94C01BB910A5A588
SHA-256:	3227DA1033099DB1F8DF206C3CA639EDA1770DE2E4AFBAC8477854BBB70576F3
SHA-512:	E23AA89C59EC2F44BB2AE5C506EBC84E59216646C171EF333F1F41BF27A7F559F52C44A95FB6FB2BCFA8E574261104A759C9DD3A2552ABBBE804904EB982AB9B
Malicious:	false
Preview:	7.......,...................8...........q.......7...........................................................................................................................................................................................................................................B...............}...j...............................................................................................................................].......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tweziehjnh

Download File

Process:	C:\Users\user\Desktop\OR098765458900009876540.exe
File Type:	data
Category:	dropped
Size (bytes):	7816
Entropy (8bit):	6.058140230956638
Encrypted:	false
SSDEEP:	192:/B2CPdrYpMPFgH5UrdKb8kMCw/T43Ed6c+ghNPPtNNeAe5j1YZ:tY6PFgZUrdJ7FeAe5j1G
MD5:	D6431A217236A88180593D1116640D96
SHA1:	9332040CF2A4C7CA21A146C4F999AB3977C45BEC
SHA-256:	0828DFF4118755DE9226F4A9EF994BA7D27E19DAF83D9B5973896E3F754350AF
SHA-512:	91852E6CAE7546C9CDABF2AE87D2E4BE5B44A7BB79ABA8A3BC331B0FE35B82603D7C552DE6A587F60A7440F336214254CABB4646DCF4BAD7458D2B9BC7EF62C0
Malicious:	false
Preview:	a......d.d........H..h..H..`..O................`......p..t.........`n.....x..\|.........`y.....@..D.........`T.....H..L.........H...1..h..l...`..A..`..d..`....I.z....`.....J.......l...`........C...p..x..@...H...h...`................f.....p..........`....O..........C.........AJ....d....H..................I..I....................AJ...N.`....`....J....w.`..`....J.....3.`...`...J....d.d...H..`O.......p..........N............cl`.....H....1...A...p...t..`1..Ii...p...t....H...p...w.`C....`z.....c...`....`.............c.O.......AJ....d.d..H..`O.......H..........N............cl`1....H........1...A...H...L..1..Ii...H...L..1..yi..H...L...A...z...H..L..`1..Ii...H...L....H...H..N.`j....`a.............`....c................`.............c.O.......AJ....d.d.O.......l..........N............cl`*....H....1...A...l...`..1..Ii...l...`....H...l....3.`.....`......c.......`_..

C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\dktozm.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	135168
Entropy (8bit):	6.407323687210526
Encrypted:	false
SSDEEP:	1536:/VTOG+x8+YaGDARvmJVBqNvnlajcCOO0LdXU8JiA1OySuJuRqSnakMP1BOBYCH4E:wfbnR6BqNvncvhw4u+qSng1kGCUHt
MD5:	685EB78DF42DD988151ECF00D69BBBF8
SHA1:	D8282C8E5A70D8D5F9DA149EAF940FDC366A8756
SHA-256:	17B6C8284FCA1E77875DA1945DE13B20EF80E9422E2284EF6DC9FF1264A70D77
SHA-512:	C4EBB121602A484144DBDF4F23FB9093513BE870C04AAA082CDBF8C22583CDBF383669E483182CBCB7E6F94E225E68643553DABB3CDB9E3E6B80BE0D2284BD3D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 27%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G..8.~ck.~ck.~ck.,.k.~ck.,.k.~ck.,.kp~ck..bj.~ck.~bk.~ck..gj.~ck...k.~ck..aj.~ckRich.~ck................PE..L....<.b............................w.............@..........................p............@.................................\|........P.......................`......x...T...........................0...@...............4............................text............................... ..`.rdata...P.......R..................@..@.data....1..........................@....rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.159985869716827
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OR098765458900009876540.exe
File size:	511491
MD5:	cb490dd90ce8d9d11aadb9765abbe5e5
SHA1:	1557b8f1f9c2879a8de75689530f78d796d8fc04
SHA256:	c0f90aecb695c93c21e13bbb346f794928bd4dfdde1c3c88c70f62acaf1d368e
SHA512:	13b45813a974c849e458190a62ff1d23f32ec4e05d6786b81196082a5983ac7c63ab2b8e62953b3299067fa7a33d65cd6503762e927e1a35752bf516817f4d34
SSDEEP:	6144:s0YynsIMquMA3WcHWlZMZ6hBTQaN2SX1RtUfVYuoPgymDvTvPIzwaIv6:5wqIWMCZMZW2aNl1RtsVYuRymDbI8l6
TLSH:	69B457E42343C2B5EC05A73918D28921F2366F862D20D97E2602BBFAFF7F19B54151E5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qJ...$...$...$./.{...$...%.;.$.".y...$..3....$.f."...$.Rich..$.........................PE..L.....iF.................Z.........

File Icon


Icon Hash:	70ccb2b0e8e8e431

Static PE Info

General

Entrypoint:	0x4032fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4669CEB6 [Fri Jun 8 21:48:38 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	55f3dfd13c0557d3e32bcbc604441dd3

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409170h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push ebx
call dword ptr [00407278h]
mov dword ptr [00423FD4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F4E8h
call dword ptr [00407154h]
push 0040922Ch
push 00423720h
call 00007F4CD8B4F2E8h
call dword ptr [004070B4h]
mov edi, 00429000h
push eax
push edi
call 00007F4CD8B4F2D6h
push ebx
call dword ptr [00407108h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423F20h], eax
mov eax, edi
jne 00007F4CD8B4CB4Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F4CD8B4EDC9h
push eax
call dword ptr [00407218h]
mov dword ptr [esp+1Ch], eax
jmp 00007F4CD8B4CBA5h
cmp cl, 00000020h
jne 00007F4CD8B4CB48h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F4CD8B4CB3Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [esp+14h], 00000020h
jne 00007F4CD8B4CB48h
inc eax
mov byte ptr [esp+14h], 00000022h
cmp byte ptr [eax], 0000002Fh
jne 00007F4CD8B4CB75h
inc eax
cmp byte ptr [eax], 00000053h
jne 00007F4CD8B4CB50h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x2bcf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x288	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x59ac	0x5a00	False	0.668142361111	data	6.45807821776	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x117a	0x1200	False	0.4453125	data	5.17513527374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1afd8	0x400	False	0.6015625	data	4.98110806401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x2bcf8	0x2be00	False	0.200710024929	data	4.39704209832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c310	0x3d2e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x30040	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x40868	0x94a8	data	English	United States
RT_ICON	0x49d10	0x5488	data	English	United States
RT_ICON	0x4f198	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16777215, next used block 4294967040	English	United States
RT_ICON	0x533c0	0x25a8	data	English	United States
RT_ICON	0x55968	0x10a8	data	English	United States
RT_ICON	0x56a10	0x988	data	English	United States
RT_ICON	0x57398	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x57800	0x100	data	English	United States
RT_DIALOG	0x57900	0x11c	data	English	United States
RT_DIALOG	0x57a20	0x60	data	English	United States
RT_GROUP_ICON	0x57a80	0x84	data	English	United States
RT_MANIFEST	0x57b08	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CloseHandle, ExitProcess, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	12:13:22
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\OR098765458900009876540.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OR098765458900009876540.exe"
Imagebase:	0x400000
File size:	511491 bytes
MD5 hash:	CB490DD90CE8D9D11AADB9765ABBE5E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: dktozm.exePID: 6336, Parent PID: 6300

General

Target ID:	1
Start time:	12:13:24
Start date:	27/05/2022
Path:	C:\Users\user\AppData\Local\Temp\dktozm.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh
Imagebase:	0x1160000
File size:	135168 bytes
MD5 hash:	685EB78DF42DD988151ECF00D69BBBF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, Virustotal, Browse Detection: 27%, ReversingLabs
Reputation:	low

Analysis Process: dktozm.exePID: 6372, Parent PID: 6336

General

Target ID:	2
Start time:	12:13:25
Start date:	27/05/2022
Path:	C:\Users\user\AppData\Local\Temp\dktozm.exe
Wow64 process (32bit):
Commandline:	C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh
Imagebase:
File size:	135168 bytes
MD5 hash:	685EB78DF42DD988151ECF00D69BBBF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: vxmtbmahtsqaf.exePID: 6584, Parent PID: 3968

General

Target ID:	5
Start time:	12:13:34
Start date:	27/05/2022
Path:	C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe"
Imagebase:	0xe10000
File size:	135168 bytes
MD5 hash:	685EB78DF42DD988151ECF00D69BBBF8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, Virustotal, Browse Detection: 27%, ReversingLabs
Reputation:	low

Analysis Process: vxmtbmahtsqaf.exePID: 6776, Parent PID: 3968

General

Target ID:	8
Start time:	12:13:42
Start date:	27/05/2022
Path:	C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe"
Imagebase:	0xe10000
File size:	135168 bytes
MD5 hash:	685EB78DF42DD988151ECF00D69BBBF8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: WerFault.exePID: 6056, Parent PID: 6584

General

Target ID:	16
Start time:	12:13:53
Start date:	27/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 636
Imagebase:	0xa20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 3976, Parent PID: 6776

General

Target ID:	19
Start time:	12:14:01
Start date:	27/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 176
Imagebase:	0xa20000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OR098765458900009876540.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vxmtbmahtsqaf.ex_cb9e76617add17783445895d2c3df37ac7ad2b_79937427_0fb4cdeb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_vxmtbmahtsqaf.ex_cb9e76617add17783445895d2c3df37ac7ad2b_79937427_1794bb3d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F88.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA536.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA19.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC0CB.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC5BE.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC745.tmp.xml

C:\Users\user\AppData\Local\Temp\dktozm.exe

C:\Users\user\AppData\Local\Temp\hgwowmqnjcs91i7x

C:\Users\user\AppData\Local\Temp\nsa28F1.tmp

C:\Users\user\AppData\Local\Temp\tweziehjnh

C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
OR098765458900009876540.exe