Edit tour

Windows Analysis Report
sexemulator.exe

Overview

General Information

Sample Name:sexemulator.exe
Analysis ID:1325834
MD5:30c841a6ac5220486e391cb20cde2211
SHA1:16bfdfedc72ff4057f217f022b1cfc9801c5e75e
SHA256:12772e06601fe7d3317b20284e5d0668ce41f51829c1527d8d042e735f9a7b80
Tags:exe
Infos:

Detection

Agent Tesla, AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Agent Tesla keylogger
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected Generic Downloader
.NET source code contains very large strings
Contains functionality to capture screen (.Net source)
Machine Learning detection for sample
.NET source code contains potential unpacker
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
One or more processes crash
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • sexemulator.exe (PID: 5068 cmdline: C:\Users\user\Desktop\sexemulator.exe MD5: 30C841A6AC5220486E391CB20CDE2211)
    • WerFault.exe (PID: 2792 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1036 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: sexemulator.exe PID: 5068JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: sexemulator.exe PID: 5068JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: sexemulator.exe PID: 5068JoeSecurity_Agenttesla_Smtp_VariantYara detected AgentTeslaJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            0.2.sexemulator.exe.4636468.2.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.sexemulator.exe.4636468.2.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.sexemulator.exe.4636468.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.sexemulator.exe.4636468.2.raw.unpackAgentTesla_1AgentTesla Payloadkevoreilly
                  • 0x109a0:$string1: smtp
                  • 0x120e0:$string1: smtp
                  • 0xff92:$string2: appdata
                  • 0x1006a:$string3: 76487-337-8429955-22614
                  • 0xffb6:$string4: yyyy-MM-dd HH:mm:ss
                  • 0xff74:$string6: webpanel
                  • 0x10b49:$string7: <br>UserName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:
                  • 0x110fd:$string8: <br>IP Address&nbsp;&nbsp;:
                  0.2.sexemulator.exe.4636468.2.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                  • 0x14b45:$f1: FileZilla\recentservers.xml
                  • 0x14c51:$f3: SOFTWARE\\Martin Prikryl\\WinSCP 2\\Sessions
                  • 0x14009:$b1: Chrome\User Data\
                  • 0x32a8:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x3584:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                  • 0x14081:$b4: Opera Software\Opera Stable\Login Data
                  • 0x140e9:$b5: YandexBrowser\User Data\
                  • 0x6d54:$s4: logins.json
                  • 0x1415d:$s4: logins.json
                  • 0x156e3:$s5: Account.CFN
                  • 0x15e1b:$s6: wand.dat
                  • 0x13fbd:$a1: username_value
                  • 0x13fdb:$a2: password_value
                  • 0x6da8:$a3: encryptedUsername
                  • 0x141b1:$a3: encryptedUsername
                  • 0x1482b:$a3: encryptedUsername
                  • 0x6d84:$a4: encryptedPassword
                  • 0x1418d:$a4: encryptedPassword
                  • 0x1484f:$a4: encryptedPassword
                  Click to see the 21 entries
                  No Sigma rule has matched
                  No Snort rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: sexemulator.exeAvira: detected
                  Source: sexemulator.exeVirustotal: Detection: 50%Perma Link
                  Source: sexemulator.exeJoe Sandbox ML: detected
                  Source: sexemulator.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: sexemulator.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: System.Windows.Forms.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: mscorlib.pdb source: sexemulator.exe, 00000000.00000002.2106372493.000000000343E000.00000004.00000800.00020000.00000000.sdmp, WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.pdb4 source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.Core.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: orlib.pdb0 source: sexemulator.exe, 00000000.00000002.2105900576.0000000001681000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: r\VB.net\stealers\firefoxx64\firefox\obj\Debug\firefox.pdb source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.Core.ni.pdb source: WER117E.tmp.dmp.4.dr

                  Networking

                  barindex
                  Source: Yara matchFile source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPE
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.47.1.10/aliasodit.php
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.com
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://Paltalk.com
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/E
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://no-ip.com
                  Source: Amcache.hve.4.drString found in binary or memory: http://upx.sf.net

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpMemory string: get_Clipboard
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpMemory string: set_Sendwebcam
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpMemory string: get_ComputerName
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpMemory string: get_UserName
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, B.cs.Net Code: O_U

                  System Summary

                  barindex
                  Source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTesla Payload Author: kevoreilly
                  Source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTesla Payload Author: kevoreilly
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTesla Payload Author: kevoreilly
                  Source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPEMatched rule: AgentTesla Payload Author: kevoreilly
                  Source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                  Source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                  Source: Process Memory Space: sexemulator.exe PID: 5068, type: MEMORYSTRMatched rule: agenttesla_smtp_variant Author: j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!
                  Source: Yara matchFile source: Process Memory Space: sexemulator.exe PID: 5068, type: MEMORYSTR
                  Source: Yara matchFile source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: sexemulator.exe, Program.csLong String: Length: 249857
                  Source: sexemulator.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPEMatched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
                  Source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPEMatched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPEMatched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
                  Source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPEMatched rule: AgentTesla_1 author = kevoreilly, description = AgentTesla Payload, cape_type = AgentTesla Payload
                  Source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                  Source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                  Source: Process Memory Space: sexemulator.exe PID: 5068, type: MEMORYSTRMatched rule: agenttesla_smtp_variant date = 2018/2, filetype = memory, reference3 = agent tesla == negasteal -- @coldshell, author = j from thl <j@techhelplist.com> with thx to @fumik0_ !!1!, version = stealer, reference1 = https://www.virustotal.com/#/file/1198865bc928a7a4f7977aaa36af5a2b9d5a949328b89dd87c541758516ad417/detection, reference2 = https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_negasteal.a
                  Source: sexemulator.exe, 00000000.00000002.2105900576.000000000164E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs sexemulator.exe
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIELibrary.dll4 vs sexemulator.exe
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe4 vs sexemulator.exe
                  Source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFEPPWHQBELWLDYGZBERTGTAMDZGCNBHHVQTAKLRX.exe4 vs sexemulator.exe
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1036
                  Source: sexemulator.exeVirustotal: Detection: 50%
                  Source: C:\Users\user\Desktop\sexemulator.exeFile read: C:\Users\user\Desktop\sexemulator.exeJump to behavior
                  Source: sexemulator.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\sexemulator.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: sexemulator.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\sexemulator.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dllJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\sexemulator.exe C:\Users\user\Desktop\sexemulator.exe
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1036
                  Source: C:\Users\user\Desktop\sexemulator.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                  Source: sexemulator.exe, Program.csBase64 encoded string: 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALPuKmUAAAAAAAAAAOAAAgELAQgAANQCAAAGAAAAAAAA/vECAAAgAAAAAAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABAAwAAAgAAAAAAAAIAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAKjxAgBTAAAAAAADAAAEAAAAAAAAAAAAAAAAAAAAAAAAACADAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAABNICAAAgAAAA1AIAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAAAEAAAAAAMAAAQAAADWAgAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAACADAAACAAAA2gIAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAADg8QIAAAAAAEgAAAACAAUAlOUBABQMAQADAAAAGgAABtxrAQC4eQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwBADsAAAAAQAAEQByAQAAcApyawAAcAty1QAAcAwYDSAAAQAAEwRy3wAAcBMFKAEAAAoRBW8CAAAKEwYoAQAACgdvAgAAChMHAigDAAAKEwgGEQcICXMEAAAKEwkRCREEHltvBQAAChMKcwYAAAoTCxELF28HAAAKABELEQoRBm8IAAAKEwwRCHMJAAAKEw0RDREMFnMKAAAKEw4RCI5pjQ0AAAETDxEOEQ8WEQ+OaW8LAAAKExARDW8MAAAKABEObwwAAAoAKA0AAAoRDxYREG8OAAAKExERERMSKwAREioAAB8yJSgPAAAKCwAoEAAACt4AAAAqdgIoEQAACioAAB8yJSgPAAAKCwAoEAAACt4AAAAqAAB2AigUAAAKKgAAHzIlKA8AAAoLACgQAAAK3gAAACoAAP5zFgAACoABAAAEcxcAAAqAAgAABHMYAAAKgAMAAARzGQAACoAEAAAEKgAAHzIlKA8AAAoLACgQAAAK3gAAACoTMAIAIQAAAAIAABF+AQAABG8aAAAKKgAAHzIlKA8AAAoLACgQAAAK3gAAACoAAAATMAIAIQAAAAMAABF+AgAABG8bAAAKKgAAHzIlKA8AAAoLACgQAAAK3gAAACoAAAATMAIAIQAAAAQAABF+AwAABG8cAAAKKgAAHzIlKA8AAAoLACgQAAAK3gAAACoAAAATMAIAIQAAAAUAABF+BAAABG8dAAAKKgAAHzIlKA8AAAoLACgQAAAK3gAAACoAAAATMAIADQAAAAYAABECAyghAAAKKCIAAAoqAAAAEzABAAcAAAAHAAARAigjAAAKKgATMAEACwAAAAgAABHQBQAAAigkAAAKKgATMAEABwAAAAkAABECKCUAAAoqABMwAQAQAAAACgAAEQKMBQAAGy0GKAEAACsqAioTMAIAEAAAAAoAABEDEgD+FQUAABsGgQUAABsqHgIoJwAACioTMAEAHAAAAAsAABF+KwAACowHAAAbLQooAgAAK4ArAAAKfisAAAoqHgIoJwAACioTMAQAXQIAAAwAABF/BgAABP4VCAAAAheABwAABHIBAQBwgAgAAAQXgAkAAAQXgAoAAAQXgAsAAARyAwEAcIAMAAAEcgMBAHCADQAABHIDAQBwgA4AAAQWgA8AAARyBwEAcIAQAAAEFoARAAAEFoASAAAEFoATAAAEFoAUAAAEFoAVAAAEFoAWAAAEFoAXAAAEFoAYAAAEFoAZAAAEFoAaAAAEFoAbAAAEFoAcAAAEchkBAHAoLgAACoAdAAAEciUBAHAoLwAACnI1AQBwKDAAAAqAHgAABHIZAQBwKC4AAAqAHwAABBeAIAAABBaAIQAABBeAIgAABHIBAQBwgCMAAAQWgCQAAAQWgCUAAAQo9QAABoAmAAAEckkBAHCAJwAABCgxAAAKcnEBAHAoMgAACigzAAAKgCgAAAQoRwAABoApAAAEcnUBAHCAKgAABCg0AAAKbzUAAAqAKwAABHIBAQBwgCwAAAQWgC0AAAQoNgAACgoSACg3AAAKIP///39qXbdzOAAACoAuAAAEfjkAAApyjwEAcBZvOgAACoAvAAAEfi8AAARy6QEAcG87AAAKKDwAAAqAMAAABHL9AQBwgDEAAAQWgD4AAARyAQEAcIBAAAAEc2wAAAYoSQAABnOjAAAGKE0AAAZzrAAABihQAAAGFIBEAAAEFIBFAAAEFIBGAAAEFoBHAAAEHwqNLAAAASUWci0CAHCiJRdyPwIAcKIlGHJPAgBwoiUZclsCAHCiJRpybwIAcKIlG3J7AgBwoiUccocCAHCiJR1ykQIAcKIlHnKbAgBwoiUfCXKtAgBwooBIAAAEKgAAABswAwDUAAAADQAAEQAAAAAAcr0CAHAAAAAAAHLfAgBwcgEBAHAoFwAABiYfZCg9AAAKfj4AAAoAAAAAAHIdAwBwF28/AAAKCgYAAAAAAHJ9AwBwcgEBAHBvQAAACgZvQQAACt4MKA8AAAooEAAACt5YAAAAAAByvQIAcAAAAAAAct8CAHAoQgAACm9DAAAKKBcAAAYmAAAAAABynQMAcChEAAAKJiDoAwAAKD0AAAoAAAAAAHLvAwBwAAAAAAByNQQAcCgYAAAGJioAAB8yJSgPAAAKCwAoEAAACt4AAAAqARAAAAAAJgAzWQAMDwAAARMwAwB9AAAADgAAEQAAAAAAcr0CAHAAAAA
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5068
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\67ac7e6f-a289-4704-9d40-2a6406bb5b51Jump to behavior
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@2/5@0/0
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, B.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, DJW.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, DJW.csCryptographic APIs: 'TransformFinalBlock'
                  Source: C:\Users\user\Desktop\sexemulator.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: sexemulator.exeStatic file information: File size 9016896 > 1048576
                  Source: sexemulator.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: sexemulator.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: System.Windows.Forms.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: mscorlib.pdb source: sexemulator.exe, 00000000.00000002.2106372493.000000000343E000.00000004.00000800.00020000.00000000.sdmp, WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.ni.pdbRSDS source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.pdb4 source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.Core.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: mscorlib.ni.pdbRSDS source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: orlib.pdb0 source: sexemulator.exe, 00000000.00000002.2105900576.0000000001681000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: r\VB.net\stealers\firefoxx64\firefox\obj\Debug\firefox.pdb source: sexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.pdb source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WER117E.tmp.dmp.4.dr
                  Source: Binary string: System.Core.ni.pdb source: WER117E.tmp.dmp.4.dr

                  Data Obfuscation

                  barindex
                  Source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, DJW.cs.Net Code: FG System.Reflection.Assembly.Load(byte[])
                  Source: sexemulator.exeStatic PE information: 0x83E499D1 [Tue Feb 14 01:48:01 2040 UTC]
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: Amcache.hve.4.drBinary or memory string: VMware
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.4.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.4.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.4.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.4.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.4.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.4.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.4.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.4.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.4.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.4.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.4.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.4.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.4.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.4.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.4.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.4.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.4.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.4.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.4.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.4.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.4.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeQueries volume information: C:\Users\user\Desktop\sexemulator.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\sexemulator.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: Amcache.hve.4.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.4.drBinary or memory string: MsMpEng.exe
                  Source: Yara matchFile source: 0.2.sexemulator.exe.4636468.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sexemulator.exe.46215b0.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sexemulator.exe.463a740.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.sexemulator.exe.46215b0.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: sexemulator.exe PID: 5068, type: MEMORYSTR
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management InstrumentationPath Interception1
                  Process Injection
                  1
                  Virtualization/Sandbox Evasion
                  1
                  Input Capture
                  21
                  Security Software Discovery
                  Remote Services1
                  Screen Capture
                  Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                  Disable or Modify Tools
                  LSASS Memory1
                  Virtualization/Sandbox Evasion
                  Remote Desktop Protocol1
                  Input Capture
                  Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
                  Software Packing
                  Security Account Manager12
                  System Information Discovery
                  SMB/Windows Admin Shares1
                  Archive Collected Data
                  Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                  Process Injection
                  NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information
                  LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common1
                  Timestomp
                  Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Obfuscated Files or Information
                  DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1325834 Sample: sexemulator.exe Startdate: 15/10/2023 Architecture: WINDOWS Score: 100 11 Malicious sample detected (through community Yara rule) 2->11 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 6 other signatures 2->17 6 sexemulator.exe 2->6         started        process3 signatures4 19 Detected Agent Tesla keylogger 6->19 9 WerFault.exe 22 16 6->9         started        process5

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  sexemulator.exe51%VirustotalBrowse
                  sexemulator.exe100%AviraTR/Dropper.Gen
                  sexemulator.exe100%Joe Sandbox ML
                  No Antivirus matches
                  No Antivirus matches
                  No Antivirus matches
                  SourceDetectionScannerLabelLink
                  http://DynDns.com0%Avira URL Cloudsafe
                  http://no-ip.com0%Avira URL Cloudsafe
                  http://89.47.1.10/aliasodit.php0%Avira URL Cloudsafe
                  http://checkip.dyndns.org/E0%Avira URL Cloudsafe
                  http://89.47.1.10/aliasodit.php4%VirustotalBrowse
                  http://no-ip.com0%VirustotalBrowse
                  http://checkip.dyndns.org/E0%VirustotalBrowse
                  http://DynDns.com0%VirustotalBrowse
                  No contacted domains info
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.4.drfalse
                    high
                    http://89.47.1.10/aliasodit.phpsexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 4%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    http://DynDns.comsexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    http://checkip.dyndns.org/Esexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    http://Paltalk.comsexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://no-ip.comsexemulator.exe, 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmpfalse
                      • 0%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      unknown
                      No contacted IP infos
                      Joe Sandbox Version:38.0.0 Ammolite
                      Analysis ID:1325834
                      Start date and time:2023-10-15 06:30:56 +02:00
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 4m 46s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample file name:sexemulator.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@2/5@0/0
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 6
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 52.168.117.173
                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target sexemulator.exe, PID 5068 because it is empty
                      • Report size getting too big, too many NtSetInformationFile calls found.
                      TimeTypeDescription
                      06:31:52API Interceptor1x Sleep call for process: WerFault.exe modified
                      No context
                      No context
                      No context
                      No context
                      No context
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.9489208571960924
                      Encrypted:false
                      SSDEEP:96:d0FMvuvU/HPTPMldvxeruQXIDcQvc6QcEVcw3cE/X+BHUHZ0ownOgHkEwH3dEP/G:i29/wK0BU/aausUzuiFtZ24IO8/
                      MD5:24FE1153457C972CC45E3DE15F524E97
                      SHA1:651A16E2A78DCFC0CC352CC8B775DFE5AFCAD334
                      SHA-256:32D72ACC9A26F37C01C06D614201769C4AFCA534AEA9EC91F239415552DEA4DF
                      SHA-512:4DB1154475A5CA33886AD7D365F4A51B3B983D3F6C9A01B1CCEE8174F177C84476E3AD521CCA027B58656C4E7A903548F0CBFC4FF03FB2BB3EF069ADF112A942
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.1.8.1.7.9.0.9.3.5.7.3.7.6.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.1.8.1.7.9.1.0.2.7.9.2.5.0.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.8.b.b.a.d.8.-.e.1.1.0.-.4.2.6.7.-.a.4.c.1.-.9.f.f.a.8.c.4.3.f.6.b.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.4.0.6.e.d.7.-.1.1.8.d.-.4.1.1.f.-.8.7.8.0.-.6.f.c.c.c.0.9.5.c.9.e.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.e.x.e.m.u.l.a.t.o.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.c.c.-.0.0.0.1.-.0.0.1.4.-.d.4.6.8.-.c.8.8.2.2.0.f.f.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.c.6.e.e.9.9.6.3.e.b.4.7.8.2.c.f.0.e.3.f.4.5.d.0.a.f.8.6.7.b.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.6.b.f.d.f.e.d.c.7.2.f.f.4.0.5.7.f.2.1.7.f.0.2.2.b.1.c.f.c.9.8.0.1.c.5.e.7.5.e.!.s.e.x.e.m.u.l.a.t.o.r...e.x.e.....T.a.r.g.e.t.A.p.
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:Mini DuMP crash report, 15 streams, Sun Oct 15 04:31:49 2023, 0x1205a4 type
                      Category:dropped
                      Size (bytes):199989
                      Entropy (8bit):3.8822809044718696
                      Encrypted:false
                      SSDEEP:1536:msqghRpN4uE2aOjyp3LTgQ9YrSVX4HAEFwoCDNtTi6DCuBojRKn7wAq:mu4uEqcLTgwIyaSDLe6ms1
                      MD5:E350CED2F7140AB75FBF05D458D818E4
                      SHA1:FB315AA1C42EE31D842EDD95E19ED557579B55D5
                      SHA-256:C30203B01A71131EE7A71BA2877425445282CB2AB8D394AEEC42318BC03599E4
                      SHA-512:495891B5110ED456D369CC35B6FCDFF8C631301E690C830168DC7496FD7B51F051C5111139FAF6809A884A92D7D063EE9917425F9D5C51E6F4D3787B97A70854
                      Malicious:false
                      Reputation:low
                      Preview:MDMP..a..... .......5k+e........................(...........$................;..........`.......8...........T............(..].......................................................................................................eJ......h.......GenuineIntel............T...........4k+e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8404
                      Entropy (8bit):3.6865478842921053
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJ1f6q+3r6YEIdSU99ggmfZ1Wprv89bXnsffI9m:R6lXJN6q+3r6YECSU99ggmf7DXsffv
                      MD5:411EB6E553D971D93338E3E5B158AA8B
                      SHA1:F7C85796C25C480BE499A29B0F7EA59A0867C4E6
                      SHA-256:C43A444EFAA6BC134CDE2328E4738DA6899F0A115254D939829A7F5FE7C4DE19
                      SHA-512:18FAB05E0EA4C4405F3246C9B98589044674E2D10E63C2C0F41195EE1817CD39FD5B5A23D16A30B2BAED7B7E71FB93EF7929FDA745674D3C0E7FD2C82E43B9AE
                      Malicious:false
                      Reputation:low
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.6.8.<./.P.i.
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4703
                      Entropy (8bit):4.447358771355289
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsL/Jg77aI9AbWpW8VYiYm8M4JPQxLDuFWq+q8viQxLDCKM1G6nud:uIjfLhI7Oq7VuJyxqKp3Mo6nud
                      MD5:2512066A9D581C4ED375A63FF5897E8F
                      SHA1:E9CAAE3E6E049E907C61DFE9FF3837C883D122C9
                      SHA-256:E591C9B2DF506463F83FAA489BA90305C024B2EEC690813BFA32B2E082CC4998
                      SHA-512:3B26EB19FF6A308D1C932E680CC0B0D135709A6B3F7BA8619C2FE0A138183A7072FA940B6435DCF1EF363BC2B75A5528B4D1FF2B6C9C841BD051C6809548E321
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="17014" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096
                      Process:C:\Windows\SysWOW64\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.421568421556024
                      Encrypted:false
                      SSDEEP:6144:cSvfpi6ceLP/9skLmb0OTXWSPHaJG8nAgeMZMMhA2fX4WABlEnNO0uhiTw:HvloTXW+EZMM6DFyQ03w
                      MD5:21BF9052A0909DAC76CD491364F00AD2
                      SHA1:9A657EAF6438277AD945A16F6FE30D33D3CA73CC
                      SHA-256:021EC8B360871528A2549C68F9CD5116EBEB746B1549B3DD9701717BB957B6BD
                      SHA-512:D0C716B2F67021B570F28449F2894CD68C4609722EE123B4A69F31D50C409A6547E45F22C157A684A2FBE9DCDE0C0EDD0FBFDC87A99F6601EEEB8A99F91E7A4E
                      Malicious:false
                      Reputation:low
                      Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..U. .................................................................................................................................................................................................................................................................................................................................................@.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):0.34944974897363185
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:sexemulator.exe
                      File size:9'016'896 bytes
                      MD5:30c841a6ac5220486e391cb20cde2211
                      SHA1:16bfdfedc72ff4057f217f022b1cfc9801c5e75e
                      SHA256:12772e06601fe7d3317b20284e5d0668ce41f51829c1527d8d042e735f9a7b80
                      SHA512:4bab5875e9f9bfbce9292d9e164b1ba8b1faf8d2f273b81b0f0616366a33aa92578a57d57e548755e04ddd36901cafff708d68aeda25c98ad5e16c746b214c4b
                      SSDEEP:3072:o2n8lTxrUzFUG6+FQjSApoL/px3pZ9eHttqo+giutF/s028t6iNBIFT96q:o2nrzuJpoL/2D/+R96q
                      TLSH:D196E02229EB109DF3A3ABB25FC8F8FF896AE573191E70F5214107468722D45CD52B36
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0......F........... ........@.. .......................`............`................................
                      Icon Hash:e3f96160d9b0286c
                      Entrypoint:0x47d1ee
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x83E499D1 [Tue Feb 14 01:48:01 2040 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x7d1980x53.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x7e0000x4320.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x7b1f40x7b200False0.23634398794416245data3.4260419896084913IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x7e0000x43200x4400False0.7742991727941176data6.459982375413444IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x840000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_ICON0x7e0e40x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m0.7864312706660368
                      RT_GROUP_ICON0x8230c0x14data1.1
                      DLLImport
                      mscoree.dll_CorExeMain
                      No network behavior found
                      050100s020406080100

                      Click to jump to process

                      050100s0.005101520MB

                      Click to jump to process

                      • File
                      • Registry

                      Click to dive into process behavior distribution

                      Click to jump to process

                      Target ID:0
                      Start time:06:31:48
                      Start date:15/10/2023
                      Path:C:\Users\user\Desktop\sexemulator.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Users\user\Desktop\sexemulator.exe
                      Imagebase:0xfe0000
                      File size:9'016'896 bytes
                      MD5 hash:30C841A6AC5220486E391CB20CDE2211
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Yara matches:
                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2106405316.00000000045A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Target ID:4
                      Start time:06:31:49
                      Start date:15/10/2023
                      Path:C:\Windows\SysWOW64\WerFault.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1036
                      Imagebase:0xc10000
                      File size:483'680 bytes
                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:moderate
                      Has exited:true
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                      Executed Functions

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2106118139.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1870000_sexemulator.jbxd
                      Similarity
                      • API ID:
                      • String ID: (aq$d
                      • API String ID: 0-3557608343
                      • Opcode ID: 90c7471becfc7524c9736a546a5c9a6ea1f38c41d3cd029ed92d48a83f531dd9
                      • Instruction ID: fe281c77c8c45eb22f0a42be466667ddf01d46e0710403124bcc7e3bb008ef7d
                      • Opcode Fuzzy Hash: 90c7471becfc7524c9736a546a5c9a6ea1f38c41d3cd029ed92d48a83f531dd9
                      • Instruction Fuzzy Hash: C3C16A35600A058FC715DF19C48096ABBF2FF89320769CA69E45ADB766DB30FD42CB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.2106118139.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1870000_sexemulator.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ce580da822c710e457d1b4f24bf56a41c4146a62b148120f5a0c6d27232ce2fe
                      • Instruction ID: 417d270d3e421dd13b5e10980d8fcf9ca1d61c130f7ab66b137b6e2f9f09088c
                      • Opcode Fuzzy Hash: ce580da822c710e457d1b4f24bf56a41c4146a62b148120f5a0c6d27232ce2fe
                      • Instruction Fuzzy Hash: D6C19C30A003098FDB14DFA8D854A6EBBB6FF89314F108568D406DB395DF74AD02CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.2106118139.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1870000_sexemulator.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0dfb7fef20b2f382977c65d6d356b422b9e8e01acd5c659f46846efa1f2d84c2
                      • Instruction ID: bb72c49ac22c7976a705f9f9d3189e1cd7743795cea11e5f65265a65fd46e82a
                      • Opcode Fuzzy Hash: 0dfb7fef20b2f382977c65d6d356b422b9e8e01acd5c659f46846efa1f2d84c2
                      • Instruction Fuzzy Hash: 13A16C30A002098FDB04DFB8D8546AEB7B6FF89704F148568D40AEB394DF75AD46CB92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.2106118139.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1870000_sexemulator.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0f09c04e4f07e4025d5db4149f01bde976c5c3b2edf9150045a95eca9608f849
                      • Instruction ID: ffb1c2d3b32085ee201819570dd74e1fa610a12020cb345f1eecaa6e1ee45e36
                      • Opcode Fuzzy Hash: 0f09c04e4f07e4025d5db4149f01bde976c5c3b2edf9150045a95eca9608f849
                      • Instruction Fuzzy Hash: 6801DF313002815FD316EA79EC9492A7BEAEBC6B5134445ADE405CF315EE34ED05CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.2106118139.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1870000_sexemulator.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 43806e4e0cb93b97dceeaad6c5cccadf379dfd91a0157f31d4e2cfd3d1601801
                      • Instruction ID: d846fafede85c837ad4cfd57bc74fdc383bce18aa7ae7d7222ae3e898eee8938
                      • Opcode Fuzzy Hash: 43806e4e0cb93b97dceeaad6c5cccadf379dfd91a0157f31d4e2cfd3d1601801
                      • Instruction Fuzzy Hash: 05F0AF353002414BD706EF79A8A046E7BE6EF8571135484AAC405CF755EF38DE09C780
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Memory Dump Source
                      • Source File: 00000000.00000002.2106118139.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1870000_sexemulator.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0701572a485e058e3383fb519fc9f131ff5d5994a35f78cf62c9ce1ddcd87864
                      • Instruction ID: 5bf0f462f849b6e6c43e08447bbdc38dc1cd204b0d4c2c271fce6fbbce5e77dd
                      • Opcode Fuzzy Hash: 0701572a485e058e3383fb519fc9f131ff5d5994a35f78cf62c9ce1ddcd87864
                      • Instruction Fuzzy Hash: 7ED01731A00209FF8B04DFA9E91495DBBBAEB45215B5045ADD80AD7304EB316F109B90
                      Uniqueness

                      Uniqueness Score: -1.00%