Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice 6500TH21Y5674.exe

Overview

General Information

Sample Name:Invoice 6500TH21Y5674.exe
Analysis ID:356249
MD5:dc22d7783144cfe4dcbb4734ed6a3656
SHA1:65d3e4f4df34bb25f7b621dd0457c641f98029cb
SHA256:c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
Tags:exe

Most interesting Screenshot:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Drops PE files
One or more processes crash
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • Invoice 6500TH21Y5674.exe (PID: 6928 cmdline: 'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe' MD5: DC22D7783144CFE4DCBB4734ED6A3656)
    • WerFault.exe (PID: 7116 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 736 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dllVirustotal: Detection: 33%Perma Link
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dllReversingLabs: Detection: 28%
Multi AV Scanner detection for submitted fileShow sources
Source: Invoice 6500TH21Y5674.exeReversingLabs: Detection: 53%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dllJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: Invoice 6500TH21Y5674.exeJoe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE filesShow sources
Source: Invoice 6500TH21Y5674.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: Invoice 6500TH21Y5674.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: userenv.pdb> source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb2 source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.666812842.0000000004D0F000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb\ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdbH source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.667774393.0000000002E62000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: comctl32v582.pdbE source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbB source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbP source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: version.pdb` source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.667332189.0000000002E6E000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb$ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb@ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.667774393.0000000002E62000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdbt source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbN source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: shfolder.pdbE source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb8 source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbz source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdbf source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb* source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.667332189.0000000002E6E000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdbF source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbV source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00406448 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_004027A1 FindFirstFileA,
Source: Invoice 6500TH21Y5674.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Invoice 6500TH21Y5674.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00405339 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)Show sources
Source: Invoice 6500TH21Y5674.exeStatic file information: Suspicious name
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: Invoice 6500TH21Y5674.exe
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_72AB1A98
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 736
Source: Invoice 6500TH21Y5674.exe, 00000000.00000002.687423343.0000000000D40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Invoice 6500TH21Y5674.exe
Source: Invoice 6500TH21Y5674.exe, 00000000.00000002.686919527.0000000000950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameOLEACCRC.DLLj% vs Invoice 6500TH21Y5674.exe
Source: Invoice 6500TH21Y5674.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engineClassification label: mal72.winEXE@2/7@0/0
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_004045EA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6928
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile created: C:\Users\user\AppData\Local\Temp\nsh10FD.tmpJump to behavior
Source: Invoice 6500TH21Y5674.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Invoice 6500TH21Y5674.exeReversingLabs: Detection: 53%
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile read: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe 'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 736
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Source: Invoice 6500TH21Y5674.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: userenv.pdb> source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb2 source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.666812842.0000000004D0F000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb\ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdbH source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.667774393.0000000002E62000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: riched20.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: oleacc.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: comctl32v582.pdbE source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdbB source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbP source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: version.pdb` source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.667332189.0000000002E6E000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb$ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: usp10.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb@ source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.667774393.0000000002E62000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: shfolder.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdbt source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: propsys.pdbN source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: shfolder.pdbE source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb8 source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbz source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdbf source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: wUxTheme.pdb* source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.667332189.0000000002E6E000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.672571387.0000000005101000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdbF source: WerFault.exe, 00000005.00000003.672712202.00000000052B0000.00000004.00000040.sdmp
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.672610626.00000000052B1000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbV source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: msls31.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.672737412.00000000052B7000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_72AB1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_72AB2F60 push eax; ret
Source: initial sampleStatic PE information: section name: .data entropy: 7.27709924336
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile created: C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile created: C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dllJump to dropped file
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00406448 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_0040589C GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_004027A1 FindFirstFileA,
Source: WerFault.exe, 00000005.00000002.685752998.00000000052D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000002.685487977.0000000004D00000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000005.00000002.685752998.00000000052D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000005.00000002.685752998.00000000052D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.685752998.00000000052D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_10003111 LdrInitializeThunk,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_72AB1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_1000410A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_10003F0F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Invoice 6500TH21Y5674.exeCode function: 0_2_00403325 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Virtualization/Sandbox Evasion2OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection1Access Token Manipulation1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerRemote System Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Invoice 6500TH21Y5674.exe53%ReversingLabsWin32.Trojan.Wacatac
Invoice 6500TH21Y5674.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll33%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll29%ReversingLabsWin32.Trojan.Convagent
C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll0%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll0%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://nsis.sf.net/NSIS_ErrorInvoice 6500TH21Y5674.exefalse
    		high
    http://nsis.sf.net/NSIS_ErrorErrorInvoice 6500TH21Y5674.exefalse
      		high

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:31.0.0 Emerald
      Analysis ID:356249
      Start date:22.02.2021
      Start time:20:18:39
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 42s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Invoice 6500TH21Y5674.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:19
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal72.winEXE@2/7@0/0
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 70% (good quality ratio 69%)
      • Quality average: 88.2%
      • Quality standard deviation: 21.2%
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Sleeps bigger than 120000ms are automatically reduced to 1000ms
      • Found application associated with file extension: .exe
      • Stop behavior analysis, all processes terminated
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 23.57.81.29, 168.61.161.212, 204.79.197.200, 13.107.21.200, 13.88.21.125, 23.54.113.53, 104.43.193.48, 13.64.90.137, 52.255.188.83, 51.104.139.180, 52.155.217.156, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.247, 92.122.213.194, 51.11.168.160
      • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dllInvoice 6500TH21Y5674.exeGet hashmaliciousBrowse
        GPP.exeGet hashmaliciousBrowse
          OrderSuppliesQuote0817916.exeGet hashmaliciousBrowse
            ACCOUNT DETAILS.exeGet hashmaliciousBrowse
              Quotation.com.exeGet hashmaliciousBrowse
                Unterlagen PDF.exeGet hashmaliciousBrowse
                  QuotationInvoices.exeGet hashmaliciousBrowse
                    PO.exeGet hashmaliciousBrowse
                      SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exeGet hashmaliciousBrowse
                        SecuriteInfo.com.FileRepMalware.24882.exeGet hashmaliciousBrowse
                          PDF_doc.exeGet hashmaliciousBrowse
                            09000000000000.jarGet hashmaliciousBrowse
                              quotation10204168.dox.xlsxGet hashmaliciousBrowse
                                notice of arrivalpdf.exeGet hashmaliciousBrowse
                                  R5BNZ68i0f.exeGet hashmaliciousBrowse
                                    payment.exeGet hashmaliciousBrowse
                                      notice of arrival.xlsxGet hashmaliciousBrowse
                                        Invoice Overdue.exeGet hashmaliciousBrowse
                                          Invoice Overdue.exeGet hashmaliciousBrowse
                                            CHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse

                                              Created / dropped Files

                                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Invoice 6500TH21_a95a9cdbd3868a56584b72cabf593f6f9eaa3187_00d3adf0_1b973ea4\Report.wer
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):13168
                                              Entropy (8bit):3.773890261765939
                                              Encrypted:false
                                              SSDEEP:192:NvLU34rLFHBUZMXaYuj7exSA/u7sqS274Itcmeo:lLU34rL1BUZMXaYujI/u7sqX4Itcmeo
                                              MD5:B9A8105BDE3A01D5F56C856A101230A3
                                              SHA1:C6733AFEDB1EC9356EFA1AFE2965F6E45308A8F8
                                              SHA-256:761739947FF5886D6E70676DB774D40C1B7CCAEA3D9E9612DA10F34FD9EB9896
                                              SHA-512:88675EC0371A6C8A4A6E77543A26363A3D3A6AC5467165677CB24942CC77BF185C2647B060BADA747B64325E67047B6EE337C7B2651270F327153612D658BD69
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.8.4.9.5.1.7.7.5.0.3.3.4.6.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.8.4.9.5.1.8.2.8.0.0.1.9.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.5.8.9.2.2.c.-.3.1.9.7.-.4.d.8.3.-.9.8.2.2.-.b.6.c.c.f.9.7.9.3.f.c.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.3.f.9.f.6.d.4.-.7.3.4.6.-.4.5.d.c.-.8.b.f.a.-.0.d.2.7.a.1.c.7.e.7.3.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.n.v.o.i.c.e. .6.5.0.0.T.H.2.1.Y.5.6.7.4...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.1.0.-.0.0.0.1.-.0.0.1.b.-.c.1.8.7.-.1.4.a.6.4.f.0.9.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.7.b.7.9.2.2.d.7.e.0.b.6.4.7.f.5.2.4.4.9.5.7.e.4.8.1.5.b.1.5.e.0.0.0.0.0.9.0.4.!.0.0.0.0.6.5.d.3.e.4.f.4.d.f.3.4.b.b.2.5.f.7.b.6.2.1.d.d.0.4.5.7.c.6.4.1.f.9.8.0.2.9.c.b.!.I.n.v.o.i.c.e. .6.5.0.
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER231D.tmp.dmp
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:Mini DuMP crash report, 14 streams, Mon Feb 22 19:19:39 2021, 0x1205a4 type
                                              Category:dropped
                                              Size (bytes):66162
                                              Entropy (8bit):2.1563332439998835
                                              Encrypted:false
                                              SSDEEP:384:qlI2YeD8dE4EQAxxA3H10ljr7LnF8Gh7E:ohD8e4ExxA3H10ljr7LnDBE
                                              MD5:3E18A873E93E36A60B274EF695D5F2E9
                                              SHA1:9071A4147E55E48BCE1E35DBA3492581FADABBCB
                                              SHA-256:6F82FD3AF651C2393C97F88543EEBC77AAA4B0C65E1366EF15CFE1E1F76C6743
                                              SHA-512:79FD6DB6FD28373012CA805A4BAD5FC4EDB1A6CD77C04A5A529EC7F60E0BE51AEB54B202B3A106DD668A6D115908270A311D748A3871CD0B0B6B3F0364A841DD
                                              Malicious:false
                                              Reputation:low
                                              Preview: MDMP....... .........4`...................U...........B.......!......GenuineIntelW...........T.............4`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AEE.tmp.WERInternalMetadata.xml
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):8344
                                              Entropy (8bit):3.7019413029395705
                                              Encrypted:false
                                              SSDEEP:192:Rrl7r3GLNi6Fs6IRe6YrsSUbsigmfMuSf+pr289bjfsfZAhm:RrlsNi6O6IRe6YQSUbsigmfMuSkjEfZ7
                                              MD5:A891BE51303A267ACB51A284CB6F3668
                                              SHA1:AF4710514288DFAA07818E6E173116968323ECD5
                                              SHA-256:41502FDF20090687C574C502CEDB65E0F6C2351ACEEABA305F41212E09C64B39
                                              SHA-512:F5D8429D0CDE5638E97D6BEBC7E7D944BBAC593270601C64ABF5B108A6920B02AA7290C136FAB99575EE5C79A3FF314AAC2E945D75B1D41C8E7115055B8C3454
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.2.8.<./.P.i.d.>.......
                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2CA5.tmp.xml
                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):4623
                                              Entropy (8bit):4.4833358782904815
                                              Encrypted:false
                                              SSDEEP:48:cvIwSD8zs/JgtWI9/HWSC8BQ/8fm8M4JslB7qNuGFxt+q8Pn7623fS2OXivei0d:uITfh82SNjJk7dyte71PS2OSvJ0d
                                              MD5:5FFC0A71BC19D54284F6747E18C59EB3
                                              SHA1:F4A411FD3EB3DA53EC9B4E208635E2F3976646CE
                                              SHA-256:BD8919A5D39364FA78A4D8F9CFBD8549731DA6553F772527BECB2D48392E8EB7
                                              SHA-512:EDC6FFB38BB75D117388F7E32A82259E43B249FC378D11299FB464DB976BC5B50B59B8685680B43B269C6B4971E2BFCB2C2338CA10C657D9CF79E5D73606C816
                                              Malicious:false
                                              Reputation:low
                                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="872910" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                              C:\Users\user\AppData\Local\Temp\csnalztt.zl
                                              Process:C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):164864
                                              Entropy (8bit):7.998912168321662
                                              Encrypted:true
                                              SSDEEP:3072:vjvBirrhYZ6EhU+VR/zSRz3DInq5u+bFGLESasrlOqs621Ov4hrjlg:vjvBA+ESZBzSRz3DwNAHsr47x1Ov4h6
                                              MD5:56F7AC02D44E2C397DD1290AA89650A8
                                              SHA1:790FD108F1870FA972269CB1F8B2DEB71EB7CACA
                                              SHA-256:6A2E176536A074D8B73F52CA163CD414685662FF9372E964D075DA84E3F9A3EC
                                              SHA-512:5904B945CF35CB93CE6CE28608CC7A1689696DFD0AA217B153EBF3057C84B0F6B70B4AD4DBAC106D161C77B7E7B8A96B79175EBEFF2D1CB7AC119E92D0C02161
                                              Malicious:false
                                              Reputation:low
                                              Preview: fY........i!3.J....H?T.)u...W..l-^Z.....>.........y>.*E.vh.|..YU..[iJ...@.'.'........ba.u.0.1:.B)...^.3.5...N@*....o m@.....F.L."..&IB-.HnG<a.^...Xd..%.+.Z..E.X.s....[.?....j......Dc.Y..l..........P.....EI.6.bf.$..<c.xkCC....,...l..'.bHm..H.D.1..q'....[..).7.K.A..........d.`.y.`.&.!.<S..2T..$v.Cp..Z.dk...Wo.....{.-V.......A.......;...p......o.OG..92.{U.A.tf..&^.4.....#.3w.5.p.,.f..v4.h.*....%.oJ... t..."..BU..b.@!.d.Jw...].8o.,.<.{..B...I.\+C.A:I......A.z<JVL....X...6..V.rj+n...fUYF....I-.7..`......r..i...I.O..Iz?.U....0..Sa..;nr..V...8G........Yi0L...T..s.....L.O...tM9P.......Bm..j.."../=._0...+.\..P......p.tt Y.S.w%Y.._i.X..+>Y&...y*..(.k...k.._....i...|./`.w..;..`~.,........l?........L.3.x.s.."....V..^L.....:>..A..)..."R..?..7...".kg$..o.t..{...G..(..R .....!.F.2..G...h...`..Z..gg.+..b3H..m...zz.OS....NP.8...;.;....m.fP..2.....~M...-..eP... 3R2d;[.T...U...N;(.........Q.y5t..n...M.`.?.....Z..2j.z..rQ*._..F.x....S.R.;........f.#:#....DT
                                              C:\Users\user\AppData\Local\Temp\ir9ehshgyir.dll
                                              Process:C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):8192
                                              Entropy (8bit):6.36613341806139
                                              Encrypted:false
                                              SSDEEP:96:WkB+SnWJ9nZE0vhI2B3cubTsVoeMzr+o1s0klKGIvxzj13IDmZU7ukhMAzN+2:W4T0vhtlbDklKGM13y37ukhp+
                                              MD5:27352D6A2DA80C7A04C0A589E7F025BD
                                              SHA1:500B490B02EE59DEEE00FEB4C59A9F0308464E5C
                                              SHA-256:427AB077A32D2844F5E82A1D0C52B9FA73BB58298DC70B3D3A55BA05552DD840
                                              SHA-512:5AFC122644CA2D1B2F9594ADF653BE281001C6C4E4D6D31B55950B83C64A1434B63054594B575510A9FA707D33E22624F01E92F5DA2572712E364C7E1C21108B
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: Virustotal, Detection: 33%, Browse
                                              • Antivirus: Metadefender, Detection: 3%, Browse
                                              • Antivirus: ReversingLabs, Detection: 29%
                                              Reputation:low
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./e..k.y.k.y.k.y..fx.`.y.k.x.y.y..Zq.j.y..Zy.j.y..Z{.j.y.Richk.y.................PE..L....`.`...........!......................... ...............................P......................................` ..L.... ..x.................................................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data........0......................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Temp\nsb112C.tmp\System.dll
                                              Process:C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                              Category:dropped
                                              Size (bytes):11776
                                              Entropy (8bit):5.855045165595541
                                              Encrypted:false
                                              SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                              MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                              SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                              SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                              SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                              Malicious:false
                                              Antivirus:
                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                              • Antivirus: ReversingLabs, Detection: 0%
                                              Joe Sandbox View:
                                              • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                              • Filename: GPP.exe, Detection: malicious, Browse
                                              • Filename: OrderSuppliesQuote0817916.exe, Detection: malicious, Browse
                                              • Filename: ACCOUNT DETAILS.exe, Detection: malicious, Browse
                                              • Filename: Quotation.com.exe, Detection: malicious, Browse
                                              • Filename: Unterlagen PDF.exe, Detection: malicious, Browse
                                              • Filename: QuotationInvoices.exe, Detection: malicious, Browse
                                              • Filename: PO.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe, Detection: malicious, Browse
                                              • Filename: SecuriteInfo.com.FileRepMalware.24882.exe, Detection: malicious, Browse
                                              • Filename: PDF_doc.exe, Detection: malicious, Browse
                                              • Filename: 09000000000000.jar, Detection: malicious, Browse
                                              • Filename: quotation10204168.dox.xlsx, Detection: malicious, Browse
                                              • Filename: notice of arrivalpdf.exe, Detection: malicious, Browse
                                              • Filename: R5BNZ68i0f.exe, Detection: malicious, Browse
                                              • Filename: payment.exe, Detection: malicious, Browse
                                              • Filename: notice of arrival.xlsx, Detection: malicious, Browse
                                              • Filename: Invoice Overdue.exe, Detection: malicious, Browse
                                              • Filename: Invoice Overdue.exe, Detection: malicious, Browse
                                              • Filename: CHEQUE COPY RECEIPT.exe, Detection: malicious, Browse
                                              Reputation:moderate, very likely benign file
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                              Entropy (8bit):7.888760018796244
                                              TrID:
                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                              • DOS Executable Generic (2002/1) 0.02%
                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                              File name:Invoice 6500TH21Y5674.exe
                                              File size:215032
                                              MD5:dc22d7783144cfe4dcbb4734ed6a3656
                                              SHA1:65d3e4f4df34bb25f7b621dd0457c641f98029cb
                                              SHA256:c9fc9a54366452a99c7ed753c7f5055141bc579b1a2530f8db7d7a039db6225d
                                              SHA512:908395a21d0a9411d8d2839b7c952f1cf50fd1998c5325457913cc27b581719d890919c196460ce5eb9fadba874b40043a537e8e40ff6aac75fd0dffcae7be4c
                                              SSDEEP:6144:7x/MzpANjvBA+ESZBzSRz3DwNAHsr47x1Ov4h9:RcpKjTyR7Dw347xkv4h9
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!.@.@...@...@../O...@...@..L@../O...@...c...@..+F...@..Rich.@..........PE..L...%.$_.................d....9.....%3............@

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x403325
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                              Time Stamp:0x5F24D625 [Sat Aug 1 02:40:37 2020 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:ced282d9b261d1462772017fe2f6972b

                                              Entrypoint Preview

                                              Instruction
                                              sub esp, 00000184h
                                              push ebx
                                              push esi
                                              push edi
                                              xor ebx, ebx
                                              push 00008001h
                                              mov dword ptr [esp+18h], ebx
                                              mov dword ptr [esp+10h], 0040A198h
                                              mov dword ptr [esp+20h], ebx
                                              mov byte ptr [esp+14h], 00000020h
                                              call dword ptr [004080B8h]
                                              call dword ptr [004080BCh]
                                              and eax, BFFFFFFFh
                                              cmp ax, 00000006h
                                              mov dword ptr [007A2F6Ch], eax
                                              je 00007EFDA4D202B3h
                                              push ebx
                                              call 00007EFDA4D23416h
                                              cmp eax, ebx
                                              je 00007EFDA4D202A9h
                                              push 00000C00h
                                              call eax
                                              mov esi, 004082A0h
                                              push esi
                                              call 00007EFDA4D23392h
                                              push esi
                                              call dword ptr [004080CCh]
                                              lea esi, dword ptr [esi+eax+01h]
                                              cmp byte ptr [esi], bl
                                              jne 00007EFDA4D2028Dh
                                              push 0000000Bh
                                              call 00007EFDA4D233EAh
                                              push 00000009h
                                              call 00007EFDA4D233E3h
                                              push 00000007h
                                              mov dword ptr [007A2F64h], eax
                                              call 00007EFDA4D233D7h
                                              cmp eax, ebx
                                              je 00007EFDA4D202B1h
                                              push 0000001Eh
                                              call eax
                                              test eax, eax
                                              je 00007EFDA4D202A9h
                                              or byte ptr [007A2F6Fh], 00000040h
                                              push ebp
                                              call dword ptr [00408038h]
                                              push ebx
                                              call dword ptr [00408288h]
                                              mov dword ptr [007A3038h], eax
                                              push ebx
                                              lea eax, dword ptr [esp+38h]
                                              push 00000160h
                                              push eax
                                              push ebx
                                              push 0079E528h
                                              call dword ptr [0040816Ch]
                                              push 0040A188h

                                              Rich Headers

                                              Programming Language:
                                              • [EXP] VC++ 6.0 SP5 build 8804

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x988.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x10000x62300x6400False0.6699609375data6.44188995255IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                              .rdata0x80000x12740x1400False0.4337890625data5.06106734837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .data0xa0000x3990780x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                              .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .rsrc0x3ac0000x9880xa00False0.455859375data4.32856157213IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_DIALOG0x3ac1480x100dataEnglishUnited States
                                              RT_DIALOG0x3ac2480x11cdataEnglishUnited States
                                              RT_DIALOG0x3ac3640x60dataEnglishUnited States
                                              RT_VERSION0x3ac3c40x284dataEnglishUnited States
                                              RT_MANIFEST0x3ac6480x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                              Imports

                                              DLLImport
                                              ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                              SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                              ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                              COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                              USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                              GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                              KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                              Version Infos

                                              DescriptionData
                                              LegalCopyrightCopyright Abkhazian (Latin script)
                                              FileVersion8.96.29.2
                                              CompanyNamedecoration
                                              LegalTrademarksHokkaido
                                              CommentsKalumpang
                                              ProductNamefire escape
                                              FileDescriptionLiv
                                              Translation0x0409 0x04e4

                                              Possible Origin

                                              Language of compilation systemCountry where language is spokenMap
                                              EnglishUnited States

                                              Network Behavior

                                              Network Port Distribution

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Feb 22, 2021 20:19:24.748733044 CET6464653192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:24.815500975 CET53646468.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:24.819472075 CET6529853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:24.877114058 CET53652988.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:24.914781094 CET5912353192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:24.963464022 CET53591238.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:25.797518015 CET5453153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:25.849179029 CET53545318.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:27.152808905 CET4971453192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:27.157238960 CET5802853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:27.203224897 CET53497148.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:27.217155933 CET53580288.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:28.116398096 CET5309753192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:28.168422937 CET53530978.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:29.382328033 CET4925753192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:29.433185101 CET53492578.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:31.136949062 CET6238953192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:31.196739912 CET53623898.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:32.192605019 CET4991053192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:32.241115093 CET53499108.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:33.640674114 CET5585453192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:33.692168951 CET53558548.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:34.932954073 CET6454953192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:34.985964060 CET53645498.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:35.956317902 CET6315353192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:36.006692886 CET53631538.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:37.029340982 CET5299153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:37.078033924 CET53529918.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:37.995919943 CET5370053192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:38.048115969 CET53537008.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:39.638506889 CET5172653192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:39.690025091 CET53517268.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:40.992326975 CET5679453192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:41.042370081 CET53567948.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:41.936924934 CET5653453192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:41.994188070 CET53565348.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:43.097459078 CET5662753192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:43.151063919 CET53566278.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:43.579133987 CET5662153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:43.628026962 CET53566218.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:44.060345888 CET6311653192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:44.110486031 CET53631168.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:45.027995110 CET6407853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:45.079440117 CET53640788.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:46.233937025 CET6480153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:46.285182953 CET53648018.8.8.8192.168.2.4
                                              Feb 22, 2021 20:19:55.682800055 CET6172153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:19:55.731451988 CET53617218.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:15.065862894 CET5125553192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:15.171834946 CET53512558.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:15.849272966 CET6152253192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:15.910923958 CET53615228.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:16.489898920 CET5233753192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:16.561069012 CET53523378.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:17.059513092 CET5504653192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:17.121670008 CET53550468.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:17.154700041 CET4961253192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:17.219367981 CET53496128.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:17.638299942 CET4928553192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:17.711520910 CET53492858.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:18.341927052 CET5060153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:18.404094934 CET53506018.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:19.047049999 CET6087553192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:19.095602989 CET53608758.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:20.018647909 CET5644853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:20.069063902 CET53564488.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:20.328011036 CET5917253192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:20.385457039 CET53591728.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:20.980401039 CET6242053192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:21.056057930 CET53624208.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:22.097594976 CET6057953192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:22.156143904 CET53605798.8.8.8192.168.2.4
                                              Feb 22, 2021 20:20:35.787730932 CET5018353192.168.2.48.8.8.8
                                              Feb 22, 2021 20:20:35.847173929 CET53501838.8.8.8192.168.2.4
                                              Feb 22, 2021 20:21:05.075010061 CET6153153192.168.2.48.8.8.8
                                              Feb 22, 2021 20:21:05.123740911 CET53615318.8.8.8192.168.2.4
                                              Feb 22, 2021 20:21:06.462074995 CET4922853192.168.2.48.8.8.8
                                              Feb 22, 2021 20:21:06.528007984 CET53492288.8.8.8192.168.2.4

                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: Invoice 6500TH21Y5674.exe PID: 6928 Parent PID: 5948

                                              General

                                              Start time:20:19:32
                                              Start date:22/02/2021
                                              Path:C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\user\Desktop\Invoice 6500TH21Y5674.exe'
                                              Imagebase:0x400000
                                              File size:215032 bytes
                                              MD5 hash:DC22D7783144CFE4DCBB4734ED6A3656
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:low

                                              Analysis Process: WerFault.exe PID: 7116 Parent PID: 6928

                                              General

                                              Start time:20:19:34
                                              Start date:22/02/2021
                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6928 -s 736
                                              Imagebase:0xf0000
                                              File size:434592 bytes
                                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >