Windows Analysis Report Auftragsbest#U00e4tigung Dringend.exe

Overview

General Information

Sample Name: Auftragsbest#U00e4tigung Dringend.exe
Analysis ID: 491651
MD5: b8d99b6c405fc56bd8a1448421d64eac
SHA1: 0ba8da5d51a77798010e6b1a2a8e759c8bcbe7fa
SHA256: e2bf9e2c787866d86fc1ae939c378f7d22fab268a00ae163fff1b79332df2088
Tags: exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

DBatLoader
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected DBatLoader
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
One or more processes crash
PE file contains strange resources
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Auftragsbest#U00e4tigung Dringend.exe Virustotal: Detection: 59% Perma Link
Source: Auftragsbest#U00e4tigung Dringend.exe Metadefender: Detection: 40% Perma Link
Source: Auftragsbest#U00e4tigung Dringend.exe ReversingLabs: Detection: 78%

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Unpacked PE file: 1.2.Auftragsbest#U00e4tigung Dringend.exe.400000.0.unpack
Uses 32bit PE files
Source: Auftragsbest#U00e4tigung Dringend.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdbWQY# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.369075881.00000000046DB000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000004.00000003.376772929.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdbm& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbgQ)#" source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbaQ3#! source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.368777417.000000000056A000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdbyQK# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb!& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb%Qw# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbc& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb?& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.376772929.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb{& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbS& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb]& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb5& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.368353281.0000000000564000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdbuQG# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb4 source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdbMQ_# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbO& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbq& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbE& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb; source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb7 source: WerFault.exe, 00000004.00000003.376772929.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdbQQc# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.369145029.000000000055E000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb+& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb'& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbw& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb[Qm# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: winmm.pdbI& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.368777417.000000000056A000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb7 source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.350639657.0000000000870000.00000004.00000001.sdmp, WerFault.exe, 00000004.00000003.395170919.0000000004609000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: http://explore.live.com/windows-live-sign-in-
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: http://explore.live.com/windows-live-sign-in-single-use-code-faq
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.liv
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/ChangePassword?uaid=dc8fa6b4c18946c2b26a42c526ae2a5f
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/ResetPassword.aspx?wreply=https://login.live.com/login.srf%3fwa%3dwsignin1.
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/query.aspx?uaid=dc8fa6b4c18946c2b26a42c526ae2a5f&mkt=EN-US&lc=1033&id=25020
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru=https://login.live.com/login.srf%3Fwa
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/username/recover?wreply=https://login.live.c
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398133887.000000000086B000.00000004.00000020.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353390647.0000000002ED0000.00000004.00000001.sdmp String found in binary or memory: https://acctcdn.msauth.net
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398133887.000000000086B000.00000004.00000020.sdmp String found in binary or memory: https://acctcdn.msauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398133887.000000000086B000.00000004.00000020.sdmp String found in binary or memory: https://acctcdn.msftauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398133887.000000000086B000.00000004.00000020.sdmp String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398133887.000000000086B000.00000004.00000020.sdmp String found in binary or memory: https://acctcdnvzeuno.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://github.com/logi
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://github.com/login/oauth/authorize?response_type=code&client_i
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://github.com/login/oauth/authorize?response_type=code&client_id=e37ffdec11c0245cb2e0&scope=rea
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://lgincdnmsftuswe2.azureed
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353390647.0000000002ED0000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.357731768.00000000007FA000.00000004.00000020.sdmp String found in binary or memory: https://lgincdnvzeuno.B
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.357731768.00000000007FA000.00000004.00000020.sdmp String found in binary or memory: https://lgincdnvzeuno.BB
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353390647.0000000002ED0000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://lgincdnvzeuno.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.l
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.350759249.0000000000870000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.350759249.0000000000870000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/0
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398133887.000000000086B000.00000004.00000020.sdmp String found in binary or memory: https://login.live.com/9
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetCredentialType.s
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetCredentialType.srf?opid=79AE4282C0C1384B&id=250206&uiflavor=w
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetCredentialType.srf?opid=79AE4282C0C1384B&id=250206&uiflavor=web&wa=wsignin
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetSessionState.srf?uiflavor=web&wa=wsignin1.0&rpsnv=13&ct=1632763724&rver=7
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetSessionState.srf?uiflavor=web&wa=wsignin1.0&rpsnv=13&ct=1632763724&rver=7.
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/HandleGithubResponse.srf&allow_signup=false&state=79AE4282C0C1384B
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/Me.htm?v=3&
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/Me.htm?v=3&uaid=dc8fa6b4c18946c2b26a42c526ae2a5f
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=dc8fa6b4c1
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=dc8fa6b4c18946c2b26a42c526ae2a5f&mkt=EN-US&lc=1033
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatem
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatement&mkt=EN-US&uaid=dc8fa6b4c18946c2b26a42c526
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatement&mkt=EN-US&uaid=dc8fa6b4c18946c2b26a42c526ae
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/gls.srf?urlID=WinLiveTermsOfUse&mkt=EN-US&uaid=dc8fa6b4c18946c2b26a42c526ae2a
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/jsDi
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/login.srf%3Fwa%3Dwsignin1.0%26rpsnv%3D13%26ct%3D1632763724%26rver%3D7.3.6962.
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/login.srf%3flc%3d1033%26mkt%3dEN-US%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d163
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&c
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.350759249.0000000000870000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1632763723&rver=7.3.6962.0&wp=MBI_SSL_SHA
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1632763724&rver=7.3.6962.0&wp=MBI_SS
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353390647.0000000002ED0000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.352808466.00000000008B8000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1632763724&rver=7.3.6962.0&wp=MBI_SSL_SHA
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1632763
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1632763724&rver=7.3.6962.0&wp=MBI_SSL_SH
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=13&ct=1632763724&rver=7.3.6962.0&wp=MBI
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.mic
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398133887.000000000086B000.00000004.00000020.sdmp String found in binary or memory: https://logincdn.msauth.net
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353390647.0000000002ED0000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://logincdn.msauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/Windows_Live_v_thumb.jpg
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/f
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/favicon.ico
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033__M8MTZS7Nv0I1zR18wd
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033__M8MTZS7Nv0I1zR18wdR-g2.css
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353390647.0000000002ED0000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_3ParxANZ-MNmIfU_UoPk
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://logincdn.msauth.net/shared/1.0/
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/Conver
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353407741.0000000002EE0000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.358941722.0000000002ED4000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.362316636.000000000262D000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353390647.0000000002ED0000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.353369894.00000000008B1000.00000004.00000001.sdmp String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_OjveJe7WDNHIjSCucBEfkA2.js
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398112791.0000000000853000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.coTR
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.357731768.00000000007FA000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.357731768.00000000007FA000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/9
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://onedrive.live.com/download%3fcid%3d1B877C3EDE919037%26resid%3d1B877C3EDE919037%2521441%26aut
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398112791.0000000000853000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=1B877C3EDE919037&resid=1B
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.357731768.00000000007FA000.00000004.00000020.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000003.350759249.0000000000870000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.358792122.0000000002E7C000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398112791.0000000000853000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=1B877C3EDE919037&resid=1B877C3EDE919037%21441&authkey=AMAxN3s
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398112791.0000000000853000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/nW
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://p.sfx.ms/login/v1/head
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://p.sfx.ms/login/v1/header.html?id=250206&mkt=EN-US&cbcxt=sky
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://sc.imp.live.com/content/dam/imp/surfaces/mail_signin/v3/sky/EN-US.html?id=250206&mkt=EN-US&c
Source: unknown DNS traffic detected: queries for: clientconfig.passport.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.357731768.00000000007FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Uses 32bit PE files
Source: Auftragsbest#U00e4tigung Dringend.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
One or more processes crash
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 1968
PE file contains strange resources
Source: Auftragsbest#U00e4tigung Dringend.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Auftragsbest#U00e4tigung Dringend.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Auftragsbest#U00e4tigung Dringend.exe Virustotal: Detection: 59%
Source: Auftragsbest#U00e4tigung Dringend.exe Metadefender: Detection: 40%
Source: Auftragsbest#U00e4tigung Dringend.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe File read: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe 'C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe'
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 1968
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6584
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER76A8.tmp Jump to behavior
Source: classification engine Classification label: mal64.troj.evad.winEXE@2/4@2/0
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdbWQY# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.369075881.00000000046DB000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000004.00000003.376772929.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdbm& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbgQ)#" source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbaQ3#! source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.368777417.000000000056A000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdbyQK# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb!& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb%Qw# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbc& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: CLBCatQ.pdb?& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.376772929.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb{& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdbS& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb]& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb5& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000004.00000003.368353281.0000000000564000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdbuQG# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb4 source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: ncryptsslp.pdbMQ_# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdbO& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbq& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbE& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb; source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb7 source: WerFault.exe, 00000004.00000003.376772929.0000000004C61000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdbQQc# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000004.00000003.369145029.000000000055E000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb+& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb'& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbw& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb[Qm# source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: winmm.pdbI& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000004.00000003.368777417.000000000056A000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wininet.pdb& source: WerFault.exe, 00000004.00000003.376887881.0000000004C59000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.376908998.0000000004C81000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000004.00000003.376864157.0000000004C53000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.377218590.0000000004C50000.00000004.00000040.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb7 source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000004.00000003.376333435.0000000004C5C000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Yara detected DBatLoader
Source: Yara match File source: 00000001.00000000.358219235.0000000002414000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.398644926.0000000002414000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.361969007.0000000002414000.00000004.00000001.sdmp, type: MEMORY
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Unpacked PE file: 1.2.Auftragsbest#U00e4tigung Dringend.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 1_3_02ED3AB0 push ebx; ret 1_3_02ED3AB1

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.357731768.00000000007FA000.00000004.00000020.sdmp, WerFault.exe, 00000004.00000002.396871243.00000000045E4000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000002.398112791.0000000000853000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW Filter-0000

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Process queried: DebugPort Jump to behavior
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.358100296.0000000000FA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.358100296.0000000000FA0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.358100296.0000000000FA0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000001.00000000.358100296.0000000000FA0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491651 Sample: Auftragsbest#U00e4tigung  D... Startdate: 27/09/2021 Architecture: WINDOWS Score: 64 12 clientconfig.passport.net 2->12 18 Multi AV Scanner detection for submitted file 2->18 20 Detected unpacking (overwrites its own PE header) 2->20 22 Yara detected DBatLoader 2->22 7 Auftragsbest#U00e4tigung  Dringend.exe 12 2->7         started        signatures3 process4 dnsIp5 14 prda.aadg.msidentity.com 7->14 16 onedrive.live.com 7->16 10 WerFault.exe 23 9 7->10         started        process6
No contacted IP infos

Contacted Domains

Name IP Active
onedrive.live.com unknown unknown
clientconfig.passport.net unknown unknown