Windows Analysis Report Auftragsbest#U00e4tigung Dringend.exe

Overview

General Information

Sample Name: Auftragsbest#U00e4tigung Dringend.exe
Analysis ID: 491651
MD5: b8d99b6c405fc56bd8a1448421d64eac
SHA1: 0ba8da5d51a77798010e6b1a2a8e759c8bcbe7fa
SHA256: e2bf9e2c787866d86fc1ae939c378f7d22fab268a00ae163fff1b79332df2088
Tags: exeRATRemcosRAT
Infos:

Most interesting Screenshot:

Detection

DBatLoader
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Yara detected DBatLoader
Multi AV Scanner detection for submitted file
Uses 32bit PE files
One or more processes crash
PE file contains strange resources
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Auftragsbest#U00e4tigung Dringend.exe Virustotal: Detection: 59% Perma Link
Source: Auftragsbest#U00e4tigung Dringend.exe Metadefender: Detection: 40% Perma Link
Source: Auftragsbest#U00e4tigung Dringend.exe ReversingLabs: Detection: 78%

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Unpacked PE file: 0.2.Auftragsbest#U00e4tigung Dringend.exe.400000.0.unpack
Uses 32bit PE files
Source: Auftragsbest#U00e4tigung Dringend.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: Binary string: wininet.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb'$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.357712390.0000000000632000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbf source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdbe, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb9$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb3$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbc, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb5$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb-$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdbq, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbK, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbi, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: WerFault.exe, 00000008.00000002.358477729.00000000048F7000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: http://explore.live.com/windows-live-sign-in-
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: http://explore.live.com/windows-live-sign-in-single-use-code-faq
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.liv
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/ChangePassword?uaid=4f0848c3dca44c8bb07d7e02024d3e5a
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/ResetPassword.aspx?wreply=https://login.live.com/login.srf%3fwa%3dwsignin1.
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru=https://login.live.com/login.srf%3Fwa
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp String found in binary or memory: https://acctcdn.msauth.net
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp String found in binary or memory: https://acctcdn.msauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp String found in binary or memory: https://acctcdn.msftauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp String found in binary or memory: https://acctcdnvzeuno.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://github.com/login/oauth/authorize?response_type=code&client
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://github.com/login/oauth/authorize?response_type=code&client_id=e37ffdec11c0245cb2e0&scope=rea
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://lgincdnmsftuswe2.azureed
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp String found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp String found in binary or memory: https://lgincdnvzeuno.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetCredentialType.srf?opid=37C93C0CE0563237&id=250206&uiflavor=w
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetCredentialType.srf?opid=37C93C0CE0563237&id=250206&uiflavor=web&wa=wsignin
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetSessionState.srf?uiflavor=web&wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/GetSessionState.srf?uiflavor=web&wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/HandleGithubResponse.srf&allow_signup=false&state=37C93C0CE0563237
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/Me.htm?v=3&
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/Me.htm?v=3&uaid=4f0848c3dca44c8bb07d7e02024d3e5a
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=4f0848c3dca44c8bb07d7e02024d3e5a&mkt=EN-US&lc=1033
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatement&mkt=EN-US&uaid=4f0848c3dca44c8bb07d7e0202
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatement&mkt=EN-US&uaid=4f0848c3dca44c8bb07d7e02024d
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/gls.srf?urlID=WinLiveTermsOfUse&mkt=EN-US&uaid=4f0848c3dca44c8bb07d7e02024d3e
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/jsDi
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/login.srf%3Fwa%3Dwsignin1.0%26rpsnv%3D13%26ct%3D1632764213%26rver%3D7.3.6962.
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/login.srf%3flc%3d1033%26mkt%3dEN-US%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d163
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.3.6962.0&wp=MBI_SS
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.3.6962.0&wp=MBI_SSL_SHA
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1632764
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.3.6962.0&wp=MBI_SSL_SH
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.3.6962.0&wp=MBI
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://login.mic
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp String found in binary or memory: https://logincdn.msauth.net
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp String found in binary or memory: https://logincdn.msauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/Windows_Live_v_thumb.jpg
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/f
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/favicon.ico
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033__M8MTZS7Nv0I1zR18wdR-g2.css
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_3ParxANZ-MNmIfU_UoPk
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://logincdn.msauth.net/shared/1.0/
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331642833.000000000285D000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326167184.0000000002D6C000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_OjveJe7WDNHIjSCucBEfkA2.js
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://onedrive.live.com/download%3fcid%3d1B877C3EDE919037%26resid%3d1B877C3EDE919037%2521441%26aut
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.336607773.0000000002D0C000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=1B877C3EDE919037&resid=1B877C3EDE919037%21441&authkey=AMAxN3s
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://p.sfx.ms/login/v1/head
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://p.sfx.ms/login/v1/header.html?id=250206&mkt=EN-US&cbcxt=sky
Source: Auftragsbest#U00e4tigung Dringend.exe String found in binary or memory: https://sc.imp.live.com/content/dam/imp/surfaces/mail_signin/v3/sky/EN-US.html?id=250206&mkt=EN-US&c
Source: WerFault.exe, 00000008.00000002.358414134.00000000048B9000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemetry.micro

System Summary:

barindex
Uses 32bit PE files
Source: Auftragsbest#U00e4tigung Dringend.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
One or more processes crash
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1928
PE file contains strange resources
Source: Auftragsbest#U00e4tigung Dringend.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Auftragsbest#U00e4tigung Dringend.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Auftragsbest#U00e4tigung Dringend.exe Virustotal: Detection: 59%
Source: Auftragsbest#U00e4tigung Dringend.exe Metadefender: Detection: 40%
Source: Auftragsbest#U00e4tigung Dringend.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe File read: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB3B.tmp Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: classification engine Classification label: mal64.troj.evad.winEXE@2/4@1/0
Source: unknown Process created: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe 'C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe'
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1928
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6412
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: wininet.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb'$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.357712390.0000000000632000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdbf source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdbe, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb9$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb3$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdbc, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: ncrypt.pdb5$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb-$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdbq, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbK, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbi, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: dpapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Unpacked PE file: 0.2.Auftragsbest#U00e4tigung Dringend.exe.400000.0.unpack
Yara detected DBatLoader
Source: Yara match File source: 00000000.00000000.335989572.00000000022D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.359668603.00000000022D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.331391128.00000000022D4000.00000004.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D63AB2 push ebx; ret 0_3_02D63AB3
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Code function: 0_3_02D71487 push edi; iretd 0_3_02D71496
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: WerFault.exe, 00000008.00000002.358464621.00000000048E5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe Process queried: DebugPort Jump to behavior
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.335931295.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.335931295.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.335931295.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.335931295.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491651 Sample: Auftragsbest#U00e4tigung  D... Startdate: 27/09/2021 Architecture: WINDOWS Score: 64 15 Multi AV Scanner detection for submitted file 2->15 17 Detected unpacking (overwrites its own PE header) 2->17 19 Yara detected DBatLoader 2->19 6 Auftragsbest#U00e4tigung  Dringend.exe 12 2->6         started        process3 dnsIp4 11 prda.aadg.msidentity.com 6->11 13 onedrive.live.com 6->13 9 WerFault.exe 23 9 6->9         started        process5
No contacted IP infos

Contacted Domains

Name IP Active
onedrive.live.com unknown unknown