Edit tour

Windows Analysis Report
WebReport_safe_certified_2024.zip

Overview

General Information

Sample name:	WebReport_safe_certified_2024.zip
Analysis ID:	1442030
MD5:	cebc8159fb7cd0d4d03f8820ee65d6e3
SHA1:	a782d422b4d8624c5fe19dceab1cc0afa6115960
SHA256:	9e18f4dafc77243ce23f912639c1b62f6834f4bf907d1fb054304dee379f6fb3
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Checks if the current process is being debugged

Drops PE files

Found dropped PE file which has not been started or loaded

One or more processes crash

Classification

Process Tree

System is w10x64_ra

rundll32.exe (PID: 7084 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

WerFault.exe (PID: 7124 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7080 -ip 7080 MD5: C31336C1EFC2CCB44B4326EA793040F2)

regAgent.exe (PID: 3976 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe" MD5: BA40702F6DC1052B64F8AD66DE3E4F99)

regAgent.exe (PID: 7080 cmdline: "C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe" MD5: BA40702F6DC1052B64F8AD66DE3E4F99)

WerFault.exe (PID: 5632 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 564 MD5: C31336C1EFC2CCB44B4326EA793040F2)

7zG.exe (PID: 3816 cmdline: "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\WebReport_safe_certified_2024\" -spe -an -ai#7zMap25386:114:7zEvent4983 MD5: 50F289DF0C19484E970849AAC4E6F977)

regAgent.exe (PID: 6228 cmdline: "C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe" MD5: BA40702F6DC1052B64F8AD66DE3E4F99)

regAgent.exe (PID: 3996 cmdline: "C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe" MD5: BA40702F6DC1052B64F8AD66DE3E4F99)

regAgent.exe (PID: 1000 cmdline: "C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe" MD5: BA40702F6DC1052B64F8AD66DE3E4F99)

regAgent.exe (PID: 1172 cmdline: "C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe" MD5: BA40702F6DC1052B64F8AD66DE3E4F99)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe

Avira: detection malicious, Label: TR/Hesv.evrpr

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7080 -ip 7080

Source: classification engine

Classification label: mal48.winZIP@11/7@0/8

Source: C:\Program Files\7-Zip\7zG.exe

File created: C:\Users\user\Desktop\WebReport_safe_certified_2024

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7080
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7124:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\aba2c92f-d1b7-4169-9bcd-6664f0100699

Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe "C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe "C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7080 -ip 7080
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7080 -s 564
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Program Files\7-Zip\7zG.exe "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\user\Desktop\WebReport_safe_certified_2024\" -spe -an -ai#7zMap25386:114:7zEvent4983
Source: unknown	Process created: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe "C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe"
Source: unknown	Process created: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe "C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe"
Source: unknown	Process created: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe "C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe"
Source: unknown	Process created: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe "C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe"

Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: explorerframe.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textshaping.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: textinputframework.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coreuicomponents.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: coremessaging.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Program Files\7-Zip\7zG.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: netapi32.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: winsta.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Section loaded: dwmapi.dll

Source: C:\Program Files\7-Zip\7zG.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Source: WebReport_safe_certified_2024.zip

Static file information: File size 1792502 > 1048576

Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\WebReport_safe_certified_2024\webAgent.bin			Jump to dropped file
Source: C:\Program Files\7-Zip\7zG.exe	File created: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe			Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\Program Files\7-Zip\7zG.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\WebReport_safe_certified_2024\webAgent.bin

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\Temp1_WebReport_safe_certified_2024.zip\regAgent.exe

Process queried: DebugPort

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Rundll32	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
WebReport_safe_certified_2024.zip	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	100%	Avira	TR/Hesv.evrpr
C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe	11%	ReversingLabs	Win32.Trojan.Hesv
C:\Users\user\Desktop\WebReport_safe_certified_2024\webAgent.bin	0%	ReversingLabs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.89.179.12	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1442030
Start date and time:	2024-05-15 15:50:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	WebReport_safe_certified_2024.zip
Detection:	MAL
Classification:	mal48.winZIP@11/7@0/8
Cookbook Comments:	Found application associated with file extension: .zip

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: WebReport_safe_certified_2024.zip

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regAgent.exe_75dbc628e010e71637b575e03c476bbdad3bcb_786e82c6_cdb2c9b0-1d75-4388-a5c5-72551bc0291f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8503238023198934
Encrypted:	false
SSDEEP:
MD5:	1A9C26389C87C1C6BBDA4EB9631D5579
SHA1:	40EF6F351790C49BD0283F12C78ADB625A23D7C2
SHA-256:	28D3137A6FCD5E81A7F742E914B83E79041648EC566BF0B58DBED6CC56218720
SHA-512:	37B5276371ABB15FABAE4408C8AB712C93E1168D953AF3783771C407B5F53E3A6CEE46494210023222AA7CEE90776EE20843896167F87185EFAA7F2309ACBB63
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.0.2.5.4.6.7.7.6.3.5.8.5.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.0.2.5.4.6.7.7.9.7.1.8.5.9.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.b.2.c.9.b.0.-.1.d.7.5.-.4.3.8.8.-.a.5.c.5.-.7.2.5.5.1.b.c.0.2.9.1.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.a.b.6.0.a.4.-.6.7.5.3.-.4.e.b.d.-.b.7.4.c.-.6.3.0.1.7.7.b.8.6.e.3.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.e.g.A.g.e.n.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.G.a.d.i.a.W.e.b.A.g.e.n.t.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.8.-.0.0.0.1.-.0.0.1.6.-.a.4.5.3.-.6.a.f.5.c.e.a.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.b.d.e.0.4.4.0.4.a.f.7.1.2.b.f.a.3.1.3.1.a.c.c.a.0.2.4.9.b.0.7.0.0.0.0.0.9.0.4.!.0.0.0.0.3.9.e.6.c.f.b.b.f.0.0.8.6.3.b.0.4.9.8.c.5.8.5.9.4.a.6.d.5.3.a.0.3.b.1.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B37.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed May 15 13:51:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	43866
Entropy (8bit):	2.0196551900084967
Encrypted:	false
SSDEEP:
MD5:	A3113FF478EAC6FC9132FC0CB15027B9
SHA1:	E5F7866AA0FD6D3EDBF4F19C5448569BA8343618
SHA-256:	C279F9CF3168ED81B28E22A321F683BE849674BE6CADB507FBC8EBC39BBADA8D
SHA-512:	3DDB0F3CAD736B878BAEEA6857B85EE746052C6E5D87F55C5AEB85A41EA08539CB356550FFC4A2B2B7E349259CC432E7258CA16CD7A3EA84F61DAEE3D835BC9D
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ........Df....................................D....(..........T.......8...........T......................................................................................................................eJ......h.......GenuineIntel............T............Df.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BC5.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8314
Entropy (8bit):	3.6978103616801263
Encrypted:	false
SSDEEP:
MD5:	E83EF027E3DEA3B807A747F559A14EAA
SHA1:	CC6BB80D801669C69B7ED0DF7C712AC06A9B0E7E
SHA-256:	D2500B26E275591142833171FD35B20BDEF7508811C43F44E576A1DC5555E9D0
SHA-512:	33F464A58257FFB0BFBCB63A20645A2173C8FD20601CBB6D4A29EC6508A3BF1628FBA7BB0CBF8A0BDF1793CF1B223F1A2AE4EB9E4244460DB677679A2F401E33
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C04.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4656
Entropy (8bit):	4.472006699609142
Encrypted:	false
SSDEEP:
MD5:	4493789A86FFF5E9BFC36C75D41CBF84
SHA1:	138C3A33F46451CBFB82B6BE9368464877111C21
SHA-256:	7B36BE82FC919154449ECE07DAECAF7BC852E535404EFDA08DACD6015364F2F3
SHA-512:	601260D068D14FF5FC51AD47274A3CF8A2F305EA37E2864B4D6FDE8FFBF5DF92032057F2BFCB4D8959C936C5CFC19583B9515405692722C4F4E859D1FB926201
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="324293" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2211552
Entropy (8bit):	6.638285112824069
Encrypted:	false
SSDEEP:
MD5:	BA40702F6DC1052B64F8AD66DE3E4F99
SHA1:	39E6CFBBF00863B0498C58594A6D53A03B1E7054
SHA-256:	B0113A10D603622E10F6B45F3D38C7E9D82A21F78A0DC37DBB0F29D2AD5EBE0A
SHA-512:	B705E20C5532EF7D880EC35D39143F9C1836E34D7297DF9AC678C1993C66B272339668BF04669F26DD7402ECA14F22BD168253D9935C13AB155F7285777EEA29
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 11%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...W7ce............................h.............@..........................p"......G"..........@..............................t6....!..z............!..(...0............................... ..........................d.......j....................text...\........................... ..`.itext.............................. ..`.data....P.......R..................@....bss.....a...@...........................idata..t6.......8..................@....didata.j............R..............@....edata...............^..............@..@.tls....H................................rdata..\.... .......`..............@..@.reloc.......0.......b..............@..B.rsrc....z....!..z....!.............@..@.............p".......!.............@..@................

C:\Users\user\Desktop\WebReport_safe_certified_2024\webAgent.bin

Download File

Process:	C:\Program Files\7-Zip\7zG.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2369760
Entropy (8bit):	6.643261914545816
Encrypted:	false
SSDEEP:
MD5:	F5D8AE8C9BF904B849054D80D0D94BE5
SHA1:	597635E6ACA574CC424650413AC5F29BEC079C10
SHA-256:	23DE6022B6A42F595CFF3D8D9F9753DB17AEC7F288CFC2FDBD94D6CBABD62DC2
SHA-512:	52030DE159BEF131B608D23D1C16B24CA294F0F80B9B86C2EC1EEFE4A1A4DDEF1D2F9DC0DD55C14107085B0E5220BEA5886D4A783A9BC2DF526C03239BAF559C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....uBe.....................@....................@...........................$.......%..........@...................0!....... ..9...P$...............$..(...`!..............................P!....................... ...... !.j....................text............................... ..`.itext..L........................... ..`.data...h...........................@....bss.....a...p ..........................idata...9.... ..:...J .............@....didata.j.... !....... .............@....edata.......0!....... .............@..@.tls....H....@!..........................rdata..\....P!....... .............@..@.reloc.......`!....... .............@..B.rsrc........P$......\|#.............@..@..............$.......$.............@..@................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.310212996570213
Encrypted:	false
SSDEEP:
MD5:	51F1B076DE4A127FAF2E97A32CD3D4C8
SHA1:	417B5B3CCB0A6FB055F5EC499BE9631CE9373B65
SHA-256:	40F45F9B7BADA404081A28A5C85F86ED5A7CEBFD5A504F4FE38883F06B36BF8C
SHA-512:	BF2F243B30D3A448AE25324C0BFD436B857D7FED058CDAFDF5141E23E1B49C09E52CBAC6F53082DE9E40EB6A20BA99288232BC0F4696E6F0EBA178A2B4A73874
Malicious:	false
Reputation:	unknown
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.J.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.99781577085027
TrID:	ZIP compressed archive (8000/1) 100.00%
File name:	WebReport_safe_certified_2024.zip
File size:	1'792'502 bytes
MD5:	cebc8159fb7cd0d4d03f8820ee65d6e3
SHA1:	a782d422b4d8624c5fe19dceab1cc0afa6115960
SHA256:	9e18f4dafc77243ce23f912639c1b62f6834f4bf907d1fb054304dee379f6fb3
SHA512:	2130562ae59fc1907366fefa84cf552e2b98255152cbe33b988898c06391c9dae706c40b11ea2ea1d383d2d561847be25191dd0b1b5a11372fe7a60304ff4bfc
SSDEEP:	49152:r/24TdSN9aB4P4XFhxzAseXIO1r0iFuqwv:r/2HN974XR90ION0Vqq
TLSH:	FD85336D5CE4231B9C2B1B738A7E619B566100C8CD367F35EDEC24D01E5CABE61390AB
File Content Preview:	PK.........M]XP..1t.....!.....regAgent.exe.;.lTWvg..=o>6c..g.6......C...1......c.n......x<o...1).x...u....*.Z...6R.-......niEU..R.M....R.(RI.fI.dz....yo>..................H...UP(.\..........v.../.~...+...g..'R..........\|.h:.6..LS>.P....L..:..'.../...u....

File Icon


Icon Hash:	1c1c1e4e4ececedc

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WebReport_safe_certified_2024.zip

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regAgent.exe_75dbc628e010e71637b575e03c476bbdad3bcb_786e82c6_cdb2c9b0-1d75-4388-a5c5-72551bc0291f\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B37.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2BC5.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C04.tmp.xml

C:\Users\user\Desktop\WebReport_safe_certified_2024\regAgent.exe

C:\Users\user\Desktop\WebReport_safe_certified_2024\webAgent.bin

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
WebReport_safe_certified_2024.zip