Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report INV.exe

Overview

General Information

Sample Name:INV.exe
Analysis ID:323458
MD5:83259cb82642666503278233421c306d
SHA1:180e81bab341eda0d404b8f5fed93bc3b350cfbd
SHA256:6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • INV.exe (PID: 7140 cmdline: 'C:\Users\user\Desktop\INV.exe' MD5: 83259CB82642666503278233421C306D)
    • conhost.exe (PID: 7148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • INV.exe (PID: 1740 cmdline: C:\Users\user\Desktop\INV.exe MD5: 83259CB82642666503278233421C306D)
    • INV.exe (PID: 6348 cmdline: C:\Users\user\Desktop\INV.exe MD5: 83259CB82642666503278233421C306D)
      • INV.exe (PID: 2856 cmdline: C:\Users\user\Desktop\INV.exe MD5: 83259CB82642666503278233421C306D)
        • WerFault.exe (PID: 1868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x1e940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1ebba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x2a6dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2a1c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2a7df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x2a957:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x1f5d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x29444:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x202cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x3054f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x31552:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x2d471:$sqlite3step: 68 34 1C 7B E1
    • 0x2d584:$sqlite3step: 68 34 1C 7B E1
    • 0x2d4a0:$sqlite3text: 68 38 2A 90 C5
    • 0x2d5c5:$sqlite3text: 68 38 2A 90 C5
    • 0x2d4b3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x2d5db:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x21b10:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x21d8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x2d8ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x2d399:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x2d9af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x2db27:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x227a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x2c614:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x2349b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x3371f:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x34722:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.INV.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.INV.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x1ad40:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x1afba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x26add:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x265c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x26bdf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x26d57:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x1b9d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x25844:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1c6cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x2c94f:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x2d952:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.INV.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x29871:$sqlite3step: 68 34 1C 7B E1
        • 0x29984:$sqlite3step: 68 34 1C 7B E1
        • 0x298a0:$sqlite3text: 68 38 2A 90 C5
        • 0x299c5:$sqlite3text: 68 38 2A 90 C5
        • 0x298b3:$sqlite3blob: 68 53 D8 7F 8C
        • 0x299db:$sqlite3blob: 68 53 D8 7F 8C
        4.2.INV.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.INV.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x1e940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x1ebba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x2a6dd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x2a1c9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x2a7df:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x2a957:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x1f5d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x29444:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x202cb:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x3054f:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x31552:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: INV.exeAvira: detected
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: INV.exeJoe Sandbox ML: detected
          Source: 0.0.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 4.0.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 4.2.INV.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 2.2.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 3.2.INV.exe.1060000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
          Source: 0.2.INV.exe.1060000.0.unpackAvira: Label: TR/Crypt.EPACK.Gen2
          Source: 4.2.INV.exe.1060000.1.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: 3.0.INV.exe.1060000.0.unpackAvira: Label: ADWARE/MultiPlug.Gen7
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00404A29 FindFirstFileExW,
          Source: C:\Users\user\Desktop\INV.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\INV.exeCode function: 4x nop then pop ebx
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: INV.exe, 00000000.00000002.648809427.00000000012C8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01061BC7
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0109C16C
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0109C170
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010950B7
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010950C0
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106B0E6
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01093360
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01074399
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010952E0
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01071521
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0108A57D
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106B4FE
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010727AF
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106B933
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010759B4
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106ABF2
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01071A93
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010B0AC0
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01073AD7
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01069D44
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0106BD68
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01070FB6
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01071521
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106B933
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01069D44
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106BD68
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010759B4
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106B0E6
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106B4FE
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01074399
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010727AF
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01070FB6
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01061BC7
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_0106ABF2
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01071A93
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01073AD7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01061BC7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0109C16C
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0109C170
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010950B7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010950C0
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106B0E6
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01093360
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01074399
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010952E0
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01071521
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0108A57D
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106B4FE
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010727AF
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106B933
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010759B4
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106ABF2
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01071A93
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010B0AC0
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01073AD7
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01069D44
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0106BD68
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01070FB6
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_0040A2A5
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 010821A8 appears 46 times
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 01085976 appears 36 times
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 010627F0 appears 90 times
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 010615FE appears 33 times
          Source: C:\Users\user\Desktop\INV.exeCode function: String function: 010632A1 appears 81 times
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872
          Source: INV.exe, 00000000.00000003.647727507.0000000002F0F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
          Source: INV.exe, 00000003.00000003.649712453.00000000033FF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs INV.exe
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs INV.exe
          Source: INV.exe, 00000004.00000002.728240140.0000000004D90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs INV.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
          Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal72.troj.evad.winEXE@9/4@0/0
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2856
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7148:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERD26.tmpJump to behavior
          Source: INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\INV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\INV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\INV.exe 'C:\Users\user\Desktop\INV.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: unknownProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: unknownProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: C:\Users\user\Desktop\INV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: INV.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.658590255.0000000002FCA000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: INV.exe, 00000000.00000003.647077119.0000000002C60000.00000004.00000001.sdmp, INV.exe, 00000003.00000003.653597565.00000000032E0000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.658584638.0000000002FC4000.00000004.00000001.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 00000007.00000003.662359081.0000000004EF2000.00000004.00000001.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: wwin32u.pdb7^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb=^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.658722034.0000000002FCF000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp, WERD26.tmp.dmp.7.dr
          Source: Binary string: oleaut32.pdb]^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: crypt32.pdb;^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.658584638.0000000002FC4000.00000004.00000001.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb)^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdbUGP source: INV.exe, 00000000.00000003.647077119.0000000002C60000.00000004.00000001.sdmp, INV.exe, 00000003.00000003.653597565.00000000032E0000.00000004.00000001.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 00000007.00000003.662436848.0000000004FDE000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WERD26.tmp.dmp.7.dr
          Source: Binary string: mscoree.pdbs^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: ole32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb[^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.662414796.0000000004FD0000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000007.00000003.661742223.0000000005180000.00000004.00000001.sdmp, WERD26.tmp.dmp.7.dr
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.658722034.0000000002FCF000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.662352676.0000000004EE1000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdba^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.662424702.0000000004FD4000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdbk source: WerFault.exe, 00000007.00000003.662424702.0000000004FD4000.00000004.00000040.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000007.00000003.658590255.0000000002FCA000.00000004.00000001.sdmp
          Source: Binary string: combase.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdbo^ source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000007.00000003.662376905.0000000004FD1000.00000004.00000040.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: Binary string: .pdbEE source: WerFault.exe, 00000007.00000003.662359081.0000000004EF2000.00000004.00000001.sdmp
          Source: Binary string: crypt32.pdb source: WerFault.exe, 00000007.00000003.662383535.0000000004FD7000.00000004.00000040.sdmp
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: INV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010821EE push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A05B2 pushfd ; retf
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010AF402 push eax; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010AF46C push eax; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01062835 push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A8864 push edx; retf
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01099B83 push es; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01099A9E push ss; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0107EDC0 push eax; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01096C15 push eax; iretd
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A8C60 push ds; retf
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A8F2B push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010A8F24 push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0107EE70 push eax; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01062835 push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010821EE push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A05B2 pushfd ; retf
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010AF402 push eax; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010AF46C push eax; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01062835 push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A8864 push edx; retf
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01099B83 push es; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01099A9E push ss; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0107EDC0 push eax; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01096C15 push eax; iretd
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A8C60 push ds; retf
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A8F2B push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010A8F24 push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_0107EE70 push eax; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401F16 push ecx; ret
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01061BC7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0109BDC0 rdtsc
          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00404A29 FindFirstFileExW,
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: WerFault.exe, 00000007.00000002.724149212.0000000004BF2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0?
          Source: WerFault.exe, 00000007.00000002.724219863.0000000004C50000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: INV.exe, 00000004.00000002.728297427.0000000004E00000.00000002.00000001.sdmp, WerFault.exe, 00000007.00000002.724244576.0000000004CE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\INV.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\INV.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_0109BDC0 rdtsc
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010683A4 IsDebuggerPresent,
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010656BA EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01077800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01077800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010802BD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010838C9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01077A20 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01080D23 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01080C83 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01080CC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01077800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01077800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_01077A20 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01077800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01077800 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010802BD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010838C9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01077A20 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01080D23 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01080C83 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_01080CC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_004035F1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01061DB2 GetProcessHeap,
          Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010630B6 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010630B6 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 2_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010630B6 SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 3_2_010630E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401E1D SetUnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\Desktop\INV.exeCode function: 4_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\Desktop\INV.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\INV.exeSection loaded: unknown target: C:\Users\user\Desktop\INV.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: C:\Users\user\Desktop\INV.exeProcess created: C:\Users\user\Desktop\INV.exe C:\Users\user\Desktop\INV.exe
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01082365 cpuid
          Source: C:\Users\user\Desktop\INV.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\Desktop\INV.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
          Source: C:\Users\user\Desktop\INV.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\Desktop\INV.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: EnumSystemLocalesW,
          Source: C:\Users\user\Desktop\INV.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,
          Source: C:\Users\user\Desktop\INV.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\user\Desktop\INV.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
          Source: C:\Users\user\Desktop\INV.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
          Source: C:\Users\user\Desktop\INV.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
          Source: C:\Users\user\Desktop\INV.exeCode function: 0_2_01062679 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.INV.exe.1060000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection111Modify Registry1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobApplication Shimming1DLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Disable or Modify Tools1Security Account ManagerSecurity Software Discovery61SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemSystem Information Discovery32Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 323458 Sample: INV.exe Startdate: 27/11/2020 Architecture: WINDOWS Score: 72 24 Malicious sample detected (through community Yara rule) 2->24 26 Antivirus / Scanner detection for submitted sample 2->26 28 Yara detected FormBook 2->28 30 Machine Learning detection for sample 2->30 8 INV.exe 1 2->8         started        process3 process4 10 INV.exe 1 8->10         started        13 conhost.exe 8->13         started        15 INV.exe 8->15         started        signatures5 32 Maps a DLL or memory area into another process 10->32 17 INV.exe 10->17         started        process6 process7 19 WerFault.exe 23 9 17->19         started        file8 22 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 19->22 dropped

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          INV.exe100%AviraADWARE/MultiPlug.Gen7
          INV.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.0.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          4.0.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          4.2.INV.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          2.2.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          3.2.INV.exe.1060000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
          0.2.INV.exe.1060000.0.unpack100%AviraTR/Crypt.EPACK.Gen2Download File
          4.2.INV.exe.1060000.1.unpack100%AviraADWARE/MultiPlug.Gen7Download File
          3.0.INV.exe.1060000.0.unpack100%AviraADWARE/MultiPlug.Gen7Download File

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
            		high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
              		high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                		high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                      		high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 00000007.00000003.661457706.00000000051C0000.00000004.00000001.sdmpfalse
                                      		high

                                      Contacted IPs

                                      No contacted IP infos

                                      General Information

                                      Joe Sandbox Version:31.0.0 Red Diamond
                                      Analysis ID:323458
                                      Start date:27.11.2020
                                      Start time:02:05:12
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 6m 39s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:INV.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:22
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal72.troj.evad.winEXE@9/4@0/0
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 47.7% (good quality ratio 44%)
                                      • Quality average: 80.9%
                                      • Quality standard deviation: 30.5%
                                      HCA Information:
                                      • Successful, ratio: 74%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
                                      • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.88.21.125, 51.104.144.132, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247
                                      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/323458/sample/INV.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      02:06:35API Interceptor1x Sleep call for process: WerFault.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      No context

                                      Domains

                                      No context

                                      ASN

                                      No context

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_INV.exe_7fa5c1fc50c97be82372a0bb1297551a3548ed7_49edae5c_07187e10\Report.wer
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):11318
                                      Entropy (8bit):3.766850711619048
                                      Encrypted:false
                                      SSDEEP:96:rZaZuQOl+hVkDNfypXIQcQvc6QcEDMcw3Db+HbHgg5uHjgtYsaSiYuka5o1CvnrN:NaZuQCMHBUZMXYjGd/u7sdS274It56i
                                      MD5:EFA8B9C67840D9F908C18F2FB070DFCF
                                      SHA1:3288B62685CE903BF575D1DC2D3783EC89D8F70D
                                      SHA-256:677F52CAAB368AEA97203A9B5FC83985BFF81B90CBD0CC051E05A9478559DFDA
                                      SHA-512:E0DD05D2E0D28E2D5D31692AABA0FC4A14EF0112C2CD07E06E3AD0E79DFA99066FA5A2945BB26E21CE636456CC72F577CA2E19372972EE9207C823F317FBBAAF
                                      Malicious:true
                                      Reputation:low
                                      Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.9.1.2.7.6.6.1.8.1.9.3.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.9.1.2.7.7.0.9.7.8.7.8.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.4.6.8.0.5.9.-.0.3.d.7.-.4.0.0.a.-.a.8.2.a.-.2.5.5.7.5.5.a.b.0.4.b.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.c.b.e.2.8.c.-.3.5.0.b.-.4.5.6.7.-.8.f.6.5.-.d.2.8.0.8.2.5.b.f.b.5.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.N.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.2.8.-.0.0.0.1.-.0.0.1.b.-.e.e.0.f.-.d.4.7.8.5.9.c.4.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.9.d.3.5.a.e.9.1.5.c.2.c.9.6.f.c.6.d.3.6.c.e.5.2.8.8.0.2.e.4.b.0.0.0.0.f.f.f.f.!.0.0.0.0.1.8.0.e.8.1.b.a.b.3.4.1.e.d.a.0.d.4.0.4.b.8.f.5.f.e.d.9.3.b.c.3.b.3.5.0.c.f.b.d.!.I.N.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.0././.1.
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER12D4.tmp.WERInternalMetadata.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):6260
                                      Entropy (8bit):3.7234725373206197
                                      Encrypted:false
                                      SSDEEP:192:Rrl7r3GLNi5v62LYZ2SkH+prT89brbmsfAeRjm:RrlsNih6MYZ2SkHrbFfAM6
                                      MD5:0445C4911E8BD6F8CCDECD7ECE1F0EED
                                      SHA1:F9F94B93692A1F1447E80FE4B50E39D9783B51AD
                                      SHA-256:2FBBA0C8E59A8B1D6C2DF616B250CD1796EA0C8291352FD71180DAE0773C0D75
                                      SHA-512:8A84D40FE755D451A4068FCE2671947792784CEAFB495A02F0EA1EA138F9D595234795AE7E98ED59A6B5B27E1024EEBE88802BBBF20E5F138D049D390B579BF9
                                      Malicious:false
                                      Reputation:low
                                      Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.8.5.6.<./.P.i.d.>.......
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER14C9.tmp.xml
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4533
                                      Entropy (8bit):4.456542350506463
                                      Encrypted:false
                                      SSDEEP:48:cvIwSD8zspJgtWI9mYWSC8B/8fm8M4JA+ZFYN+q8Hxg7zqvJupd:uITf7hRSNKJn0NIe7mv4pd
                                      MD5:94519179BDCB8BA568890471088FD3B5
                                      SHA1:FBBE4BB0B25E7F99245025CC7673A4019A1A7353
                                      SHA-256:D9FB01E02CCD6D6A42DFB73A2FA94171952F440E6CD9553357F01A244CA6262E
                                      SHA-512:370ADE951BD152ACD84C37EF29F084691BB73061879123D7B6A422EE34EC7C5B6F50A78F7FF1A139181BF18AD1CC7D9E733ABC265260AC5B751B52BFE25629AD
                                      Malicious:false
                                      Reputation:low
                                      Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="746536" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD26.tmp.dmp
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 14 streams, Fri Nov 27 01:06:07 2020, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):110238
                                      Entropy (8bit):3.479625234997686
                                      Encrypted:false
                                      SSDEEP:768:bgCe5gNbDqmyhZ303oHqUD8CQjPOWQaCgUziUHloTAZ1ExqaLQoKEequOED:7ttLS303oGFSNaCgUziUbEQuVuOED
                                      MD5:D14107A7F95EFA4361734C6926E9AA10
                                      SHA1:1D25716F92DCCD4330427C663874EE013F9AC6D2
                                      SHA-256:10C702BE8D1F96B759604E675FE55DBCD0DF5CC6D5A13FDC8F917024AD6B9168
                                      SHA-512:819011E98E92F19BB21F9FBED53A78BBBCB544D701A673CDB114656C47792BA4EEF067E93B429F041EECD895BEC3C980B88EBEE6B7BBF10B5F4AD4C9E1B7C6F1
                                      Malicious:false
                                      Reputation:low
                                      Preview: MDMP....... ........P._...................U...........B..............GenuineIntelW...........T.......(....P._.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

                                      Static File Info

                                      General

                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                      Entropy (8bit):7.734539190231703
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:INV.exe
                                      File size:394240
                                      MD5:83259cb82642666503278233421c306d
                                      SHA1:180e81bab341eda0d404b8f5fed93bc3b350cfbd
                                      SHA256:6e28207e7a3ef7f173d7a7905208a55ff0ad1eb645241e2e9ae453c643cf3a31
                                      SHA512:c5b2342cdd849a49b4e2472c563301aa3f69d192317901f13dd94db5ad680db7b6e529a6b23fd2528e6378a08f058ee06a9663c8539ce44655235fd241cdc5c7
                                      SSDEEP:6144:OKRY0sMhL5VwjYGFzVfPn1IqXJ7kELwepHTAXF3QOrIxc8V4rJH:OKBsM1whBPn1IWdkELLpHU1Xrmc8V4
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........0Y.ecY.ecY.ec...c@.ec...cV.ec...c<.ec.S.cT.ecY.dc3.ecT..cX.ecT..cX.ecY..cX.ecT..cX.ecRichY.ec........................PE..L..

                                      File Icon

                                      Icon Hash:00828e8e8686b000

                                      Static PE Info

                                      General

                                      Entrypoint:0x40127b
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows cui
                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                      Time Stamp:0x5FC0322D [Thu Nov 26 22:54:37 2020 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:6
                                      OS Version Minor:0
                                      File Version Major:6
                                      File Version Minor:0
                                      Subsystem Version Major:6
                                      Subsystem Version Minor:0
                                      Import Hash:e5251995cfb2fe7a12656fff0fe17665

                                      Entrypoint Preview

                                      Instruction
                                      call 00007F2D98FF681Eh
                                      jmp 00007F2D98FF525Ah
                                      push ebp
                                      mov ebp, esp
                                      mov eax, dword ptr [ebp+08h]
                                      mov eax, dword ptr [eax]
                                      cmp dword ptr [eax], E06D7363h
                                      jne 00007F2D98FF5447h
                                      cmp dword ptr [eax+10h], 03h
                                      jne 00007F2D98FF5441h
                                      mov eax, dword ptr [eax+14h]
                                      cmp eax, 19930520h
                                      je 00007F2D98FF543Dh
                                      cmp eax, 19930521h
                                      je 00007F2D98FF5436h
                                      cmp eax, 19930522h
                                      je 00007F2D98FF542Fh
                                      cmp eax, 01994000h
                                      je 00007F2D98FF5428h
                                      xor eax, eax
                                      pop ebp
                                      retn 0004h
                                      call 00007F2D98FF6BBCh
                                      int3
                                      push 00401285h
                                      call 00007F2D98FF720Bh
                                      pop ecx
                                      xor eax, eax
                                      ret
                                      push ebp
                                      mov ebp, esp
                                      push esi
                                      call 00007F2D98FF575Eh
                                      mov esi, eax
                                      test esi, esi
                                      je 00007F2D98FF556Bh
                                      mov edx, dword ptr [esi+5Ch]
                                      mov ecx, edx
                                      push edi
                                      mov edi, dword ptr [ebp+08h]
                                      cmp dword ptr [ecx], edi
                                      je 00007F2D98FF542Fh
                                      add ecx, 0Ch
                                      lea eax, dword ptr [edx+00000090h]
                                      cmp ecx, eax
                                      jc 00007F2D98FF5411h
                                      lea eax, dword ptr [edx+00000090h]
                                      cmp ecx, eax
                                      jnc 00007F2D98FF5426h
                                      cmp dword ptr [ecx], edi
                                      je 00007F2D98FF5424h
                                      xor ecx, ecx
                                      test ecx, ecx
                                      je 00007F2D98FF5536h
                                      mov edx, dword ptr [ecx+08h]
                                      test edx, edx
                                      je 00007F2D98FF552Bh
                                      cmp edx, 05h
                                      jne 00007F2D98FF542Eh
                                      and dword ptr [ecx+08h], 00000000h
                                      xor eax, eax
                                      inc eax
                                      jmp 00007F2D98FF551Bh
                                      cmp edx, 01h
                                      jne 00007F2D98FF542Ah
                                      or eax, FFFFFFFFh
                                      jmp 00007F2D98FF550Eh

                                      Rich Headers

                                      Programming Language:
                                      • [RES] VS2013 build 21005
                                      • [LNK] VS2013 build 21005

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1d1240x8c.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x1e0.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x630000x130c.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1cc680x40.rdata
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x180000x1c0.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x16e9f0x17000False0.517747961957data6.61669655756IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rdata0x180000x5bb40x5c00False0.373259171196data4.5684318813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x1e0000x43b440x41e00False0.988499911053DOS executable (block device driver\377\377\200)7.98533790258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .rsrc0x620000x1e00x200False0.52734375data4.70436301348IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x630000x130c0x1400False0.778515625data6.50096033347IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_MANIFEST0x620600x17dXML 1.0 document textEnglishUnited States

                                      Imports

                                      DLLImport
                                      KERNEL32.dllEnumCalendarInfoExA, SetCalendarInfoW, VirtualProtect, CloseHandle, WriteConsoleW, SetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, lstrcpyA, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, HeapSize, GetStringTypeW, HeapReAlloc, HeapAlloc, WaitForSingleObjectEx, EnumCalendarInfoW, CreateDirectoryW, EnumSystemLocalesW, GlobalFix, OutputDebugStringW, RtlUnwind, LoadLibraryExW, FreeLibrary, GetCommandLineA, GetLastError, SetLastError, GetCurrentThread, GetCurrentThreadId, EncodePointer, DecodePointer, ExitProcess, GetModuleHandleExW, GetProcAddress, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, GetProcessHeap, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetTickCount, GetModuleHandleW, CreateSemaphoreW, EnterCriticalSection, LeaveCriticalSection, FatalAppExitA, HeapFree, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, IsDebuggerPresent, IsProcessorFeaturePresent, SetConsoleCtrlHandler, CreateFileW
                                      MPR.dllWNetDisconnectDialog1W, WNetGetResourceParentW, WNetGetNetworkInformationW, WNetGetResourceInformationW, WNetAddConnection3A
                                      MSACM32.dllacmFilterTagEnumA, acmDriverEnum, acmFormatChooseW, acmStreamMessage, acmFilterEnumA, acmFormatEnumW, acmDriverDetailsW, acmFormatSuggest
                                      loadperf.dllLoadPerfCounterTextStringsW, UnloadPerfCounterTextStringsA, LoadPerfCounterTextStringsA
                                      GDI32.dllUnrealizeObject, GetGlyphOutline, GetCharABCWidthsFloatW, GetNearestColor
                                      WINSPOOL.DRVStartDocPrinterW, SetPortW, DEVICECAPABILITIES

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Nov 27, 2020 02:05:54.692982912 CET5585453192.168.2.48.8.8.8
                                      Nov 27, 2020 02:05:54.720194101 CET53558548.8.8.8192.168.2.4
                                      Nov 27, 2020 02:05:55.633140087 CET6454953192.168.2.48.8.8.8
                                      Nov 27, 2020 02:05:55.660248995 CET53645498.8.8.8192.168.2.4
                                      Nov 27, 2020 02:05:56.508723021 CET6315353192.168.2.48.8.8.8
                                      Nov 27, 2020 02:05:56.536097050 CET53631538.8.8.8192.168.2.4
                                      Nov 27, 2020 02:05:57.672020912 CET5299153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:05:57.717303038 CET53529918.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:01.166337013 CET5370053192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:01.211952925 CET53537008.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:02.431898117 CET5172653192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:02.477114916 CET53517268.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:11.599971056 CET5679453192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:11.627115965 CET53567948.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:18.445962906 CET5653453192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:18.473351002 CET53565348.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:23.581319094 CET5662753192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:23.608694077 CET53566278.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:24.675609112 CET5662153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:24.720957041 CET53566218.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:25.577539921 CET6311653192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:25.604675055 CET53631168.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:26.445909977 CET6407853192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:26.491342068 CET53640788.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:27.276896000 CET6480153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:27.304073095 CET53648018.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:28.097887993 CET6172153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:28.125070095 CET53617218.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:28.918909073 CET5125553192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:28.946232080 CET53512558.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:29.722603083 CET6152253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:29.749654055 CET53615228.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:30.540760994 CET5233753192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:30.568002939 CET53523378.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:35.154489994 CET5504653192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:35.199733019 CET53550468.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:35.633502960 CET4961253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:35.678972006 CET53496128.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:36.176018000 CET4928553192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:36.221518993 CET53492858.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:36.572947025 CET5060153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:36.618227005 CET53506018.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:37.405683041 CET6087553192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:37.453906059 CET5644853192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:37.459347010 CET53608758.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:37.480974913 CET53564488.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:37.951503992 CET5917253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:37.996998072 CET53591728.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:38.474426031 CET6242053192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:38.501616955 CET53624208.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:39.843559027 CET6057953192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:39.888915062 CET53605798.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:40.740267038 CET5018353192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:40.785589933 CET53501838.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:41.172720909 CET6153153192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:41.218246937 CET53615318.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:44.243426085 CET4922853192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:44.299596071 CET53492288.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:53.334465027 CET5979453192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:53.361748934 CET53597948.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:53.421722889 CET5591653192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:53.467124939 CET53559168.8.8.8192.168.2.4
                                      Nov 27, 2020 02:06:56.163362980 CET5275253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:06:56.210628033 CET53527528.8.8.8192.168.2.4
                                      Nov 27, 2020 02:07:28.711581945 CET6054253192.168.2.48.8.8.8
                                      Nov 27, 2020 02:07:28.738723040 CET53605428.8.8.8192.168.2.4
                                      Nov 27, 2020 02:07:30.085612059 CET6068953192.168.2.48.8.8.8
                                      Nov 27, 2020 02:07:30.130929947 CET53606898.8.8.8192.168.2.4

                                      Code Manipulations

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: INV.exe PID: 7140 Parent PID: 6016

                                      General

                                      Start time:02:05:59
                                      Start date:27/11/2020
                                      Path:C:\Users\user\Desktop\INV.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\INV.exe'
                                      Imagebase:0x1060000
                                      File size:394240 bytes
                                      MD5 hash:83259CB82642666503278233421C306D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.648648516.0000000001081000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: conhost.exe PID: 7148 Parent PID: 7140

                                      General

                                      Start time:02:05:59
                                      Start date:27/11/2020
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff724c50000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: INV.exe PID: 1740 Parent PID: 7140

                                      General

                                      Start time:02:06:00
                                      Start date:27/11/2020
                                      Path:C:\Users\user\Desktop\INV.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\Desktop\INV.exe
                                      Imagebase:0x1060000
                                      File size:394240 bytes
                                      MD5 hash:83259CB82642666503278233421C306D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low

                                      Analysis Process: INV.exe PID: 6348 Parent PID: 7140

                                      General

                                      Start time:02:06:00
                                      Start date:27/11/2020
                                      Path:C:\Users\user\Desktop\INV.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\INV.exe
                                      Imagebase:0x1060000
                                      File size:394240 bytes
                                      MD5 hash:83259CB82642666503278233421C306D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.654174864.0000000001081000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: INV.exe PID: 2856 Parent PID: 6348

                                      General

                                      Start time:02:06:01
                                      Start date:27/11/2020
                                      Path:C:\Users\user\Desktop\INV.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\Desktop\INV.exe
                                      Imagebase:0x1060000
                                      File size:394240 bytes
                                      MD5 hash:83259CB82642666503278233421C306D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.726038979.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.726953085.0000000000BEA000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.727594067.0000000003955000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: WerFault.exe PID: 1868 Parent PID: 2856

                                      General

                                      Start time:02:06:04
                                      Start date:27/11/2020
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 872
                                      Imagebase:0x9d0000
                                      File size:434592 bytes
                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:.Net C# or VB.NET
                                      Reputation:high

                                      Disassembly

                                      Code Analysis

                                      Reset < >