Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice 6500TH21Y5674.exe

Overview

General Information

Sample Name:Invoice 6500TH21Y5674.exe
Analysis ID:356249
MD5:dc22d7783144cfe4dcbb4734ed6a3656
SHA1:65d3e4f4df34bb25f7b621dd0457c641f98029cb
SHA256:c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
Tags:exe

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Invoice 6500TH21Y5674.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe' MD5: DC22D7783144CFE4DCBB4734ED6A3656)
    • WerFault.exe (PID: 1320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 740 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dllVirustotal: Detection: 33%Perma Link
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dllReversingLabs: Detection: 28%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dllJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Invoice 6500TH21Y5674.exeJoe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: Invoice 6500TH21Y5674.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Invoice 6500TH21Y5674.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: ntmarta.pdb, source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb2 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdbp source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: msctf.pdbx source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb| source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdbD source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbN source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbJ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbB source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdbn source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: shfolder.pdbV source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbf source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source: Binary string: msls31.pdbb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: usp10.pdbv source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb7 source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbX source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb> source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: mscms.pdbd source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: version.pdb* source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: riched20.pdbL source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbz source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00406448 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_004027A1 FindFirstFileA,
Source: Invoice 6500TH21Y5674.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Invoice 6500TH21Y5674.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)Show sources
Source: Invoice 6500TH21Y5674.exeStatic file information: Suspicious name
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Invoice 6500TH21Y5674.exe
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_6FC41A98
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 740
Source: Invoice 6500TH21Y5674.exe, 00000000.00000002.682097774.0000000002540000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Invoice 6500TH21Y5674.exe
Source: Invoice 6500TH21Y5674.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engineClassification label: mal64.winEXE@2/7@0/1
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7052
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile created: C:\Users\user\AppData\Local\Temp\nsmED28.tmpJump to behavior
Source: Invoice 6500TH21Y5674.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile read: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe 'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 740
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: Invoice 6500TH21Y5674.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ntmarta.pdb, source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb2 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdbp source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: msctf.pdbx source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb| source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdbD source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbN source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbJ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.659419962.00000000028E1000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbB source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdbn source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: shfolder.pdbV source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb4 source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdbf source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.658792898.00000000028ED000.00000004.00000001.sdmp
Source: Binary string: msls31.pdbb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.666660166.0000000004D31000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: usp10.pdbv source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb7 source: WerFault.exe, 00000005.00000003.666757268.0000000004E60000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.658788365.00000000028E7000.00000004.00000001.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.666696783.0000000004E61000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbX source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb> source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: mscms.pdbd source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: version.pdb* source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: riched20.pdbL source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbz source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.666781072.0000000004E67000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_6FC41A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_6FC42F60 push eax; ret
Source: initial sampleStatic PE information: section name: .data entropy: 7.27709924336
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile created: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dllJump to dropped file
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile created: C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00406448 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_004027A1 FindFirstFileA,
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000003.678214551.00000000048BA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000005.00000002.679779745.000000000488A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWh
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.679975910.0000000004AA0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_10003111 LdrInitializeThunk,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_6FC41A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_1000410A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_10003F0F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection1Access Token Manipulation1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Invoice 6500TH21Y5674.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll33%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll29%ReversingLabsWin32.Trojan.Convagent
C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorInvoice 6500TH21Y5674.exefalse
    		high
    http://nsis.sf.net/NSIS_ErrorErrorInvoice 6500TH21Y5674.exefalse
      		high

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Emerald
      Analysis ID:356249
      Start date:22.02.2021
      Start time:20:12:24
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 20s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Invoice 6500TH21Y5674.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:19
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal64.winEXE@2/7@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 83% (good quality ratio 81.9%)
      • Quality average: 87.4%
      • Quality standard deviation: 21.4%
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 104.43.139.144, 104.43.193.48, 184.30.21.144, 51.104.144.132, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247, 51.104.139.180
      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

      Simulations

      Behavior and APIs

      TimeTypeDescription
      20:13:26API Interceptor1x Sleep call for process: WerFault.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dllGPP.exeGet hashmaliciousBrowse
        OrderSuppliesQuote0817916.exeGet hashmaliciousBrowse
          ACCOUNT DETAILS.exeGet hashmaliciousBrowse
            Quotation.com.exeGet hashmaliciousBrowse
              Unterlagen PDF.exeGet hashmaliciousBrowse
                QuotationInvoices.exeGet hashmaliciousBrowse
                  PO.exeGet hashmaliciousBrowse
                    SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exeGet hashmaliciousBrowse
                      SecuriteInfo.com.FileRepMalware.24882.exeGet hashmaliciousBrowse
                        PDF_doc.exeGet hashmaliciousBrowse
                          09000000000000.jarGet hashmaliciousBrowse
                            quotation10204168.dox.xlsxGet hashmaliciousBrowse
                              notice of arrivalpdf.exeGet hashmaliciousBrowse
                                R5BNZ68i0f.exeGet hashmaliciousBrowse
                                  payment.exeGet hashmaliciousBrowse
                                    notice of arrival.xlsxGet hashmaliciousBrowse
                                      Invoice Overdue.exeGet hashmaliciousBrowse
                                        Invoice Overdue.exeGet hashmaliciousBrowse
                                          CHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
                                            Remittance copy.xlsxGet hashmaliciousBrowse

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Invoice 6500TH21_a95a9cdbd3868a56584b72cabf593f6f9eaa3187_00d3adf0_05661bd9\Report.wer
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):13166
                                              Entropy (8bit):3.774830690965141
                                              Encrypted:false
                                              SSDEEP:192:PnLf344LFHBUZMXaYuj7exr4/u7sBS274ItcmeN:fLf344L1BUZMXaYujX/u7sBX4ItcmeN
                                              MD5:B2A9FF4DD6892C2890DBF8E45AB88485
                                              SHA1:AE62CC1D9906E6551FA100EEFE60CA707B8D2091
                                              SHA-256:E105583F6C4CA31C0D3884D7FE2F99C628F13B8595E78A0CF4690C2F3E830DB0
                                              SHA-512:508B06B0E8E9D8B5C8EF54867F11E19FD90A6C956CC14AEECC2C3533135190D28F9971F56433423564656A7018A0E02F84681FBF0E3BB87E66BB0B781334D386
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.4.9.4.7.9.8.5.7.4.7.1.7.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.4.9.4.8.0.5.0.2.7.8.2.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.3.8.7.8.1.4.-.d.b.5.2.-.4.f.b.a.-.8.7.9.f.-.f.3.f.1.c.0.3.c.2.c.9.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.a.c.3.8.0.6.-.2.e.b.4.-.4.3.3.f.-.a.3.b.3.-.5.4.4.b.4.9.1.6.8.5.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.v.o.i.c.e. .6.5.0.0.T.H.2.1.Y.5.6.7.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.8.c.-.0.0.0.1.-.0.0.1.b.-.b.4.9.d.-.c.2.c.4.4.e.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.7.b.7.9.2.2.d.7.e.0.b.6.4.7.f.5.2.4.4.9.5.7.e.4.8.1.5.b.1.5.e.0.0.0.0.0.9.0.4.!.0.0.0.0.6.5.d.3.e.4.f.4.d.f.3.4.b.b.2.5.f.7.b.6.2.1.d.d.0.4.5.7.c.6.4.1.f.9.8.0.2.9.c.b.!.I.n.v.o.i.c.e. .6.5.0.
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F4.tmp.WERInternalMetadata.xml
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8344
                                              Entropy (8bit):3.703256214725214
                                              Encrypted:false
                                              SSDEEP:192:Rrl7r3GLNifFH6IRrrGe6YrrSUgRtFgmfMuSj+pr/89bANsfTgm:RrlsNifl6IRrD6YnSUgRPgmfMuSHAGfx
                                              MD5:541615E3CF2661403307AEEE0CA852BC
                                              SHA1:E79D147C52E6A112639D2BB0A17B4165EAC69B2F
                                              SHA-256:63B424AD7CB406D35F481A902A4DBB8573096050392DF751B1C94A58BEEFE6D4
                                              SHA-512:FB921B062B06EE2EF18CDFCB57DD65F7A5C69C99EC92550C5D70EA8F03E018FF0C82BE20E994A2AF4AFC8498C6E4093F9A27EB6E8F4EEB91E0A62DCC420DA93A
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.5.2.<./.P.i.d.>.......
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB12.tmp.xml
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4623
                                              Entropy (8bit):4.48617925721146
                                              Encrypted:false
                                              SSDEEP:48:cvIwSD8zsSJgtWI9ajQWSC8BY8fm8M4JslB7qNuGFTiMo+q8Pn7623t2OXiveidd:uITfg9pSNzJk7dioe7192OSvJdd
                                              MD5:0B4DAE1146BC4C6A596446CEEBB2EDAB
                                              SHA1:D26B2B8C74DBE4B3853260F82AF6F7DA1915750D
                                              SHA-256:9FD8606D6D972D12DBB295F49C527C5C91DF75C38A190690CC8C1B4AEA5DAF78
                                              SHA-512:29AAEDB659300032FA468E4C67AD46FD1E2F8EB6D94D4FEAE10586F9BD966870F8DCA2D089A4B84E9B2D9158BE864386518C47AFC3E809FAD810697E98FDB41F
                                              Malicious:false
                                              Reputation:low
                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="872904" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB9F.tmp.dmp
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Mon Feb 22 19:13:21 2021, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):66182
                                              Entropy (8bit):2.1500581148642697
                                              Encrypted:false
                                              SSDEEP:384:wSuP3ieR98ED6uAxxe3gzhZjr7hiEOGZn6K7:wSuPfR9LD6/xe3gzhZjr7hZ9n6Q
                                              MD5:C7B0D98301EDFA9EF17D07978828CED2
                                              SHA1:2A245600875BF190BF70026E71F4D23241572B86
                                              SHA-256:6C2C49E5548E9F64A1329C11717C88FBA8A904FE384A47FF7091E5456A019A29
                                              SHA-512:C33DD77D9B22275C564E05A7AD6189C65C9C013E91142890CA441AF4052F69BD0A9C717A9322E5B2CF96ABE397989A1969D19F47C36A8A2E17149A9273F3FAC9
                                              Malicious:false
                                              Reputation:low
                                              Preview: MDMP....... .......Q.4`...................U...........B.......!......GenuineIntelW...........T...........J.4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                              C:\Users\user\AppData\Local\Temp\csnalztt.zl
                                              Process:C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164864
                                              Entropy (8bit):7.998912168321662
                                              Encrypted:true
                                              SSDEEP:3072:vjvBirrhYZ6EhU+VR/zSRz3DInq5u+bFGLESasrlOqs621Ov4hrjlg:vjvBA+ESZBzSRz3DwNAHsr47x1Ov4h6
                                              MD5:56F7AC02D44E2C397DD1290AA89650A8
                                              SHA1:790FD108F1870FA972269CB1F8B2DEB71EB7CACA
                                              SHA-256:6A2E176536A074D8B73F52CA163CD414685662FF9372E964D075DA84E3F9A3EC
                                              SHA-512:5904B945CF35CB93CE6CE28608CC7A1689696DFD0AA217B153EBF3057C84B0F6B70B4AD4DBAC106D161C77B7E7B8A96B79175EBEFF2D1CB7AC119E92D0C02161
                                              Malicious:false
                                              Reputation:low
                                              Preview: fY........i!3.J....H?T.)u...W..l-^Z.....>.........y>.*E.vh.|..YU..[iJ...@.'.'........ba.u.0.1:.B)...^.3.5...N@*....o m@.....F.L."..&IB-.HnG<a.^...Xd..%.+.Z..E.X.s....[.?....j......Dc.Y..l..........P.....EI.6.bf.$..<c.xkCC....,...l..'.bHm..H.D.1..q'....[..).7.K.A..........d.`.y.`.&.!.<S..2T..$v.Cp..Z.dk...Wo.....{.-V.......A.......;...p......o.OG..92.{U.A.tf..&^.4.....#.3w.5.p.,.f..v4.h.*....%.oJ... t..."..BU..b.@!.d.Jw...].8o.,.<.{..B...I.\+C.A:I......A.z<JVL....X...6..V.rj+n...fUYF....I-.7..`......r..i...I.O..Iz?.U....0..Sa..;nr..V...8G........Yi0L...T..s.....L.O...tM9P.......Bm..j.."../=._0...+.\..P......p.tt Y.S.w%Y.._i.X..+>Y&...y*..(.k...k.._....i...|./`.w..;..`~.,........l?........L.3.x.s.."....V..^L.....:>..A..)..."R..?..7...".kg$..o.t..{...G..(..R .....!.F.2..G...h...`..Z..gg.+..b3H..m...zz.OS....NP.8...;.;....m.fP..2.....~M...-..eP... 3R2d;[.T...U...N;(.........Q.y5t..n...M.`.?.....Z..2j.z..rQ*._..F.x....S.R.;........f.#:#....DT
                                              C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll
                                              Process:C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):8192
                                              Entropy (8bit):6.36613341806139
                                              Encrypted:false
                                              SSDEEP:96:WkB+SnWJ9nZE0vhI2B3cubTsVoeMzr+o1s0klKGIvxzj13IDmZU7ukhMAzN+2:W4T0vhtlbDklKGM13y37ukhp+
                                              MD5:27352D6A2DA80C7A04C0A589E7F025BD
                                              SHA1:500B490B02EE59DEEE00FEB4C59A9F0308464E5C
                                              SHA-256:427AB077A32D2844F5E82A1D0C52B9FA73BB58298DC70B3D3A55BA05552DD840
                                              SHA-512:5AFC122644CA2D1B2F9594ADF653BE281001C6C4E4D6D31B55950B83C64A1434B63054594B575510A9FA707D33E22624F01E92F5DA2572712E364C7E1C21108B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: Virustotal, Detection: 33%, Browse
                                              • Antivirus: Metadefender, Detection: 3%, Browse
                                              • Antivirus: ReversingLabs, Detection: 29%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./e..k.y.k.y.k.y..fx.`.y.k.x.y.y..Zq.j.y..Zy.j.y..Z{.j.y.Richk.y.................PE..L....`.`...........!......................... ...............................P......................................` ..L.... ..x.................................................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data........0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Temp\nshED58.tmp\System.dll
                                              Process:C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11776
                                              Entropy (8bit):5.855045165595541
                                              Encrypted:false
                                              SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                              MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                              SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                              SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                              SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: GPP.exe, Detection: malicious, Browse
                                              • Filename: OrderSuppliesQuote0817916.exe, Detection: malicious, Browse
                                              • Filename: ACCOUNT DETAILS.exe, Detection: malicious, Browse
                                              • Filename: Quotation.com.exe, Detection: malicious, Browse
                                              • Filename: Unterlagen PDF.exe, Detection: malicious, Browse
                                              • Filename: QuotationInvoices.exe, Detection: malicious, Browse
                                              • Filename: PO.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.FileRepMalware.24882.exe, Detection: malicious, Browse
                                              • Filename: PDF_doc.exe, Detection: malicious, Browse
                                              • Filename: 09000000000000.jar, Detection: malicious, Browse
                                              • Filename: quotation10204168.dox.xlsx, Detection: malicious, Browse
                                              • Filename: notice of arrivalpdf.exe, Detection: malicious, Browse
                                              • Filename: R5BNZ68i0f.exe, Detection: malicious, Browse
                                              • Filename: payment.exe, Detection: malicious, Browse
                                              • Filename: notice of arrival.xlsx, Detection: malicious, Browse
                                              • Filename: Invoice Overdue.exe, Detection: malicious, Browse
                                              • Filename: Invoice Overdue.exe, Detection: malicious, Browse
                                              • Filename: CHEQUE COPY RECEIPT.exe, Detection: malicious, Browse
                                              • Filename: Remittance copy.xlsx, Detection: malicious, Browse
                                              Reputation:moderate, very likely benign file
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.888760018796244
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Invoice 6500TH21Y5674.exe
                                              File size:215032
                                              MD5:dc22d7783144cfe4dcbb4734ed6a3656
                                              SHA1:65d3e4f4df34bb25f7b621dd0457c641f98029cb
                                              SHA256:c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
                                              SHA512:908395a21d0a9411d8d2839b7c952f1cf50fd1998c5325457913cc27b581719d890919c196460ce5eb9fadba874b40043a537e8e40ff6aac75fd0dffcae7be4c
                                              SSDEEP:6144:7x/MzpANjvBA+ESZBzSRz3DwNAHsr47x1Ov4h9:RcpKjTyR7Dw347xkv4h9
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L...%.$_.................d....9.....%3............@

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x403325
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5F24D625 [Sat Aug 1 02:40:37 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:ced282d9b261d1462772017fe2f6972b

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 00000184h
                                              push ebx
                                              push esi
                                              push edi
                                              xor ebx, ebx
                                              push 00008001h
                                              mov dword ptr [esp+18h], ebx
                                              mov dword ptr [esp+10h], 0040A198h
                                              mov dword ptr [esp+20h], ebx
                                              mov byte ptr [esp+14h], 00000020h
                                              call dword ptr [004080B8h]
                                              call dword ptr [004080BCh]
                                              and eax, BFFFFFFFh
                                              cmp ax, 00000006h
                                              mov dword ptr [007A2F6Ch], eax
                                              je 00007F11E8839383h
                                              push ebx
                                              call 00007F11E883C4E6h
                                              cmp eax, ebx
                                              je 00007F11E8839379h
                                              push 00000C00h
                                              call eax
                                              mov esi, 004082A0h
                                              push esi
                                              call 00007F11E883C462h
                                              push esi
                                              call dword ptr [004080CCh]
                                              lea esi, dword ptr [esi+eax+01h]
                                              cmp byte ptr [esi], bl
                                              jne 00007F11E883935Dh
                                              push 0000000Bh
                                              call 00007F11E883C4BAh
                                              push 00000009h
                                              call 00007F11E883C4B3h
                                              push 00000007h
                                              mov dword ptr [007A2F64h], eax
                                              call 00007F11E883C4A7h
                                              cmp eax, ebx
                                              je 00007F11E8839381h
                                              push 0000001Eh
                                              call eax
                                              test eax, eax
                                              je 00007F11E8839379h
                                              or byte ptr [007A2F6Fh], 00000040h
                                              push ebp
                                              call dword ptr [00408038h]
                                              push ebx
                                              call dword ptr [00408288h]
                                              mov dword ptr [007A3038h], eax
                                              push ebx
                                              lea eax, dword ptr [esp+38h]
                                              push 00000160h
                                              push eax
                                              push ebx
                                              push 0079E528h
                                              call dword ptr [0040816Ch]
                                              push 0040A188h

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x988.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x62300x6400False0.6699609375data6.44188995255IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rdata0x80000x12740x1400False0.4337890625data5.06106734837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xa0000x3990780x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0x3ac0000x9880xa00False0.455859375data4.32856157213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_DIALOG0x3ac1480x100dataEnglishUnited States
                                              RT_DIALOG0x3ac2480x11cdataEnglishUnited States
                                              RT_DIALOG0x3ac3640x60dataEnglishUnited States
                                              RT_VERSION0x3ac3c40x284dataEnglishUnited States
                                              RT_MANIFEST0x3ac6480x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                              Imports

                                              DLLImport
                                              ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                              SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                              ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                              COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                              USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                              GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                              KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                              Version Infos

                                              DescriptionData
                                              LegalCopyrightCopyright Abkhazian (Latin script)
                                              FileVersion8.96.29.2
                                              CompanyNamedecoration
                                              LegalTrademarksHokkaido
                                              CommentsKalumpang
                                              ProductNamefire escape
                                              FileDescriptionLiv
                                              Translation0x0409 0x04e4

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Network Port Distribution

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 22, 2021 20:13:08.126100063 CET6529853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:08.174998999 CET53652988.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:09.268579960 CET5912353192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:09.318689108 CET53591238.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:09.777106047 CET5453153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:09.845844030 CET53545318.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:10.215289116 CET4971453192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:10.265507936 CET53497148.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:11.212158918 CET5802853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:11.270188093 CET53580288.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:12.428859949 CET5309753192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:12.482754946 CET53530978.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:13.729577065 CET4925753192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:13.778476000 CET53492578.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:14.978543997 CET6238953192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:15.032226086 CET53623898.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:16.086262941 CET4991053192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:16.134982109 CET53499108.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:17.056094885 CET5585453192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:17.107492924 CET53558548.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:18.172137976 CET6454953192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:18.223676920 CET53645498.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:19.194848061 CET6315353192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:19.243395090 CET53631538.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:20.332845926 CET5299153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:20.381582022 CET53529918.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:21.520343065 CET5370053192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:21.580420017 CET53537008.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:22.551676035 CET5172653192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:22.603544950 CET53517268.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:23.776237965 CET5679453192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:23.826596975 CET53567948.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:24.780412912 CET5653453192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:24.830338001 CET53565348.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:26.258446932 CET5662753192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:26.312314987 CET53566278.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:26.752038002 CET5662153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:26.800841093 CET53566218.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:27.809377909 CET6311653192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:27.859285116 CET53631168.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:38.105026960 CET6407853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:38.156537056 CET53640788.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:57.876569033 CET6480153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:57.940486908 CET53648018.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:58.460304976 CET6172153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:58.565757990 CET53617218.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:59.057368994 CET5125553192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:59.126800060 CET53512558.8.8.8192.168.2.4
                                              Feb 22, 2021 20:13:59.376662970 CET6152253192.168.2.48.8.8.8
                                              Feb 22, 2021 20:13:59.439727068 CET53615228.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:00.561758995 CET5233753192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:00.634332895 CET53523378.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:01.538045883 CET5504653192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:01.600204945 CET53550468.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:02.156744957 CET4961253192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:02.216437101 CET53496128.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:02.888663054 CET4928553192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:02.918108940 CET5060153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:02.966742039 CET53492858.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:02.976929903 CET53506018.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:04.285130978 CET6087553192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:04.345084906 CET53608758.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:05.629309893 CET5644853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:05.679775953 CET53564488.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:06.269172907 CET5917253192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:06.326704979 CET53591728.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:13.891426086 CET6242053192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:13.940160036 CET53624208.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:14.219197989 CET6057953192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:14.284236908 CET53605798.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:16.800393105 CET5018353192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:16.861208916 CET53501838.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:50.368153095 CET6153153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:50.417006969 CET53615318.8.8.8192.168.2.4
                                              Feb 22, 2021 20:14:52.280946970 CET4922853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:14:52.338311911 CET53492288.8.8.8192.168.2.4

                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Invoice 6500TH21Y5674.exe PID: 7052 Parent PID: 5920

                                              General

                                              Start time:20:13:14
                                              Start date:22/02/2021
                                              Path:C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe'
                                              Imagebase:0x400000
                                              File size:215032 bytes
                                              MD5 hash:DC22D7783144CFE4DCBB4734ED6A3656
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              Analysis Process: WerFault.exe PID: 1320 Parent PID: 7052

                                              General

                                              Start time:20:13:16
                                              Start date:22/02/2021
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7052 -s 740
                                              Imagebase:0x60000
                                              File size:434592 bytes
                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >