Play interactive tour

Edit tour

Windows Analysis Report Auftragsbest#U00e4tigung Dringend.exe

Overview

General Information

Sample Name:	Auftragsbest#U00e4tigung Dringend.exe
Analysis ID:	491651
MD5:	b8d99b6c405fc56bd8a1448421d64eac
SHA1:	0ba8da5d51a77798010e6b1a2a8e759c8bcbe7fa
SHA256:	e2bf9e2c787866d86fc1ae939c378f7d22fab268a00ae163fff1b79332df2088
Tags:	exeRATRemcosRAT
Infos:
Most interesting Screenshot:

Detection

DBatLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Yara detected DBatLoader

Multi AV Scanner detection for submitted file

Uses 32bit PE files

One or more processes crash

PE file contains strange resources

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Classification

Process Tree

System is w10x64

Auftragsbest#U00e4tigung Dringend.exe (PID: 6412 cmdline: 'C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe' MD5: B8D99B6C405FC56BD8A1448421D64EAC)

WerFault.exe (PID: 5128 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1928 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.335989572.00000000022D4000.00000004.00000001.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000000.00000002.359668603.00000000022D4000.00000004.00000001.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000000.00000000.331391128.00000000022D4000.00000004.00000001.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Auftragsbest#U00e4tigung Dringend.exe	Virustotal: Detection: 59%	Perma Link
Source: Auftragsbest#U00e4tigung Dringend.exe	Metadefender: Detection: 40%	Perma Link
Source: Auftragsbest#U00e4tigung Dringend.exe	ReversingLabs: Detection: 78%

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe

Unpacked PE file: 0.2.Auftragsbest#U00e4tigung Dringend.exe.400000.0.unpack

Source: Auftragsbest#U00e4tigung Dringend.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb'$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.357712390.0000000000632000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdbf source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdbe, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb9$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb3$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbc, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb5$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb-$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdbq, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbK, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbi, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: WerFault.exe, 00000008.00000002.358477729.00000000048F7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: http://explore.live.com/windows-live-sign-in-
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: http://explore.live.com/windows-live-sign-in-single-use-code-faq
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://account.liv
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://account.live.com/ChangePassword?uaid=4f0848c3dca44c8bb07d7e02024d3e5a
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://account.live.com/ResetPassword.aspx?wreply=https://login.live.com/login.srf%3fwa%3dwsignin1.
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://account.live.com/security/LoginStage.aspx?lmif=1000&ru=https://login.live.com/login.srf%3Fwa
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://account.live.com/username/recover?wreply=https://login.live.com/login.srf%3flc%3d1033%26mkt%
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://acctcdn.msauth.net
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp	String found in binary or memory: https://acctcdn.msauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp	String found in binary or memory: https://acctcdn.msftauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp	String found in binary or memory: https://acctcdnmsftuswe2.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp	String found in binary or memory: https://acctcdnvzeuno.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://github.com/login/oauth/authorize?response_type=code&client
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://github.com/login/oauth/authorize?response_type=code&client_id=e37ffdec11c0245cb2e0&scope=rea
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://lgincdnmsftuswe2.azureed
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://lgincdnmsftuswe2.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://lgincdnvzeuno.azureedge.net/
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/GetCredentialType.srf?opid=37C93C0CE0563237&id=250206&uiflavor=w
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/GetCredentialType.srf?opid=37C93C0CE0563237&id=250206&uiflavor=web&wa=wsignin
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/GetSessionState.srf?uiflavor=web&wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/GetSessionState.srf?uiflavor=web&wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/HandleGithubResponse.srf&allow_signup=false&state=37C93C0CE0563237
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/Me.htm?v=3&
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/Me.htm?v=3&uaid=4f0848c3dca44c8bb07d7e02024d3e5a
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/cookiesDisabled.srf?uaid=4f0848c3dca44c8bb07d7e02024d3e5a&mkt=EN-US&lc=1033
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatement&mkt=EN-US&uaid=4f0848c3dca44c8bb07d7e0202
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/gls.srf?urlID=MSNPrivacyStatement&mkt=EN-US&uaid=4f0848c3dca44c8bb07d7e02024d
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/gls.srf?urlID=WinLiveTermsOfUse&mkt=EN-US&uaid=4f0848c3dca44c8bb07d7e02024d3e
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/jsDi
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/login.srf%3Fwa%3Dwsignin1.0%26rpsnv%3D13%26ct%3D1632764213%26rver%3D7.3.6962.
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/login.srf%3flc%3d1033%26mkt%3dEN-US%26wa%3dwsignin1.0%26rpsnv%3d13%26ct%3d163
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.3.6962.0&wp=MBI_SS
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.3.6962.0&wp=MBI_SSL_SHA
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1632764
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/logout.srf?wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.3.6962.0&wp=MBI_SSL_SH
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&rpsnv=13&ct=1632764213&rver=7.3.6962.0&wp=MBI
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://login.mic
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp	String found in binary or memory: https://logincdn.msauth.net
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://logincdn.msauth.net/
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/Windows_Live_v_thumb.jpg
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/f
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://logincdn.msauth.net/16.000.29174.3/images/favicon.ico
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v21033__M8MTZS7Nv0I1zR18wdR-g2.css
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_3ParxANZ-MNmIfU_UoPk
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/
Source: Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331642833.000000000285D000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326167184.0000000002D6C000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_OjveJe7WDNHIjSCucBEfkA2.js
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://onedrive.live.com/download%3fcid%3d1B877C3EDE919037%26resid%3d1B877C3EDE919037%2521441%26aut
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.336607773.0000000002D0C000.00000004.00000001.sdmp	String found in binary or memory: https://onedrive.live.com/download?cid=1B877C3EDE919037&resid=1B877C3EDE919037%21441&authkey=AMAxN3s
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://p.sfx.ms/login/v1/head
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://p.sfx.ms/login/v1/header.html?id=250206&mkt=EN-US&cbcxt=sky
Source: Auftragsbest#U00e4tigung Dringend.exe	String found in binary or memory: https://sc.imp.live.com/content/dam/imp/surfaces/mail_signin/v3/sky/EN-US.html?id=250206&mkt=EN-US&c
Source: WerFault.exe, 00000008.00000002.358414134.00000000048B9000.00000004.00000001.sdmp	String found in binary or memory: https://watson.telemetry.micro

Source: Auftragsbest#U00e4tigung Dringend.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1928

Source: Auftragsbest#U00e4tigung Dringend.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Auftragsbest#U00e4tigung Dringend.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Auftragsbest#U00e4tigung Dringend.exe	Virustotal: Detection: 59%
Source: Auftragsbest#U00e4tigung Dringend.exe	Metadefender: Detection: 40%
Source: Auftragsbest#U00e4tigung Dringend.exe	ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe

File read: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB3B.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: classification engine

Classification label: mal64.troj.evad.winEXE@2/4@1/0

Source: unknown	Process created: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe 'C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe'
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1928

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6412

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: wininet.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: rsaenh.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb'$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: mskeyprotect.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000008.00000002.357712390.0000000000632000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: winnsi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: cryptsp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: CLBCatQ.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: schannel.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: urlmon.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdbf source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdbe, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: winhttp.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: ntasn1.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb9$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: OnDemandConnRouteHelper.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb3$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdbc, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: ncrypt.pdb5$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: gpapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: ncryptsslp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: dhcpcsvc6.pdb-$ source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wmswsock.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: version.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: wintrust.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: iertutil.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdbq, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: msasn1.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbK, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: fwpuclnt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbi, source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000008.00000003.348988021.0000000002C98000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: ncrypt.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: dpapi.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000008.00000003.348982693.0000000002C95000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000008.00000003.348909735.0000000004D61000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000008.00000003.349008039.0000000002C90000.00000004.00000040.sdmp
Source:	Binary string: rasadhlp.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp
Source:	Binary string: crypt32.pdb source: WerFault.exe, 00000008.00000003.348856243.0000000002C9C000.00000004.00000040.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe

Unpacked PE file: 0.2.Auftragsbest#U00e4tigung Dringend.exe.400000.0.unpack

Yara detected DBatLoader

Show sources

Source: Yara match	File source: 00000000.00000000.335989572.00000000022D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.359668603.00000000022D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.331391128.00000000022D4000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D63AB2 push ebx; ret
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd
Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe	Code function: 0_3_02D71487 push edi; iretd

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: WerFault.exe, 00000008.00000002.358464621.00000000048E5000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe

Process queried: DebugPort

Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.335931295.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.335931295.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.335931295.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.335931295.0000000000E60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection2	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery11	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Auftragsbest#U00e4tigung Dringend.exe	59%	Virustotal		Browse
Auftragsbest#U00e4tigung Dringend.exe	40%	Metadefender		Browse
Auftragsbest#U00e4tigung Dringend.exe	79%	ReversingLabs	Win32.Trojan.Delf

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://lgincdnmsftuswe2.azureed	0%	Avira URL Cloud	safe
https://acctcdn.msftauth.net/	0%	Virustotal		Browse
https://acctcdn.msftauth.net/	0%	Avira URL Cloud	safe
https://login.mic	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000/Converged_v21033__M8MTZS7Nv0I1zR18wdR-g2.css	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_3ParxANZ-MNmIfU_UoPk	0%	Avira URL Cloud	safe
https://watson.telemetry.micro	0%	Avira URL Cloud	safe
https://acctcdn.msauth.net	0%	URL Reputation	safe
https://logincdn.msauth.net/16.000.29174.3/images/f	0%	Avira URL Cloud	safe
https://account.liv	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/16.000.29174.3/images/favicon.ico	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/	0%	URL Reputation	safe
https://acctcdn.msauth.net/	0%	URL Reputation	safe
https://logincdn.msauth.net/16.000.29174.3/images/Windows_Live_v_thumb.jpg	0%	Avira URL Cloud	safe
https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_OjveJe7WDNHIjSCucBEfkA2.js	0%	Avira URL Cloud	safe
https://logincdn.msauth.net	0%	URL Reputation	safe
https://logincdn.msauth.net/shared/1.0/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onedrive.live.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://lgincdnmsftuswe2.azureed	Auftragsbest#U00e4tigung Dringend.exe	false	Avira URL Cloud: safe	unknown
https://acctcdn.msftauth.net/	Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/login/oauth/authorize?response_type=code&client	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://login.mic	Auftragsbest#U00e4tigung Dringend.exe	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000/Converged_v21033__M8MTZS7Nv0I1zR18wdR-g2.css	Auftragsbest#U00e4tigung Dringend.exe	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en_3ParxANZ-MNmIfU_UoPk	Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://watson.telemetry.micro	WerFault.exe, 00000008.00000002.358414134.00000000048B9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://acctcdn.msauth.net	Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://logincdn.msauth.net/16.000.29174.3/images/f	Auftragsbest#U00e4tigung Dringend.exe	false	Avira URL Cloud: safe	unknown
https://account.liv	Auftragsbest#U00e4tigung Dringend.exe	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?cid=1B877C3EDE919037&resid=1B877C3EDE919037%21441&authkey=AMAxN3s	Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.336607773.0000000002D0C000.00000004.00000001.sdmp	false		high
https://logincdn.msauth.net/16.000.29174.3/images/favicon.ico	Auftragsbest#U00e4tigung Dringend.exe	false	Avira URL Cloud: safe	unknown
https://p.sfx.ms/login/v1/header.html?id=250206&mkt=EN-US&cbcxt=sky	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://account.live.com/ChangePassword?uaid=4f0848c3dca44c8bb07d7e02024d3e5a	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://onedrive.live.com/download%3fcid%3d1B877C3EDE919037%26resid%3d1B877C3EDE919037%2521441%26aut	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://sc.imp.live.com/content/dam/imp/surfaces/mail_signin/v3/sky/EN-US.html?id=250206&mkt=EN-US&c	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://logincdn.msauth.net/	Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://account.live.com/security/LoginStage.aspx?lmif=1000&ru	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://acctcdn.msauth.net/	Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://github.com/login/oauth/authorize?response_type=code&client_id=e37ffdec11c0245cb2e0&scope=rea	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://onedrive.live.com/preload?view=Folders.All&id=250206&mkt=EN-US	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://p.sfx.ms/login/v1/head	Auftragsbest#U00e4tigung Dringend.exe	false		high
https://logincdn.msauth.net/16.000.29174.3/images/Windows_Live_v_thumb.jpg	Auftragsbest#U00e4tigung Dringend.exe	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_OjveJe7WDNHIjSCucBEfkA2.js	Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331642833.000000000285D000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326167184.0000000002D6C000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000003.326146743.0000000002D60000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://logincdn.msauth.net	Auftragsbest#U00e4tigung Dringend.exe, Auftragsbest#U00e4tigung Dringend.exe, 00000000.00000000.331758301.0000000002D64000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://logincdn.msauth.net/shared/1.0/	Auftragsbest#U00e4tigung Dringend.exe	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	491651
Start date:	27.09.2021
Start time:	19:35:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Auftragsbest#U00e4tigung Dringend.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@2/4@1/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.199.120.151, 13.107.43.13, 40.126.31.136, 40.126.31.3, 40.126.31.5, 40.126.31.7, 40.126.31.140, 40.126.31.138, 20.190.159.131, 40.126.31.2, 20.82.210.154, 20.199.120.182, 20.190.159.133, 40.126.31.142, 40.126.31.9, 104.208.16.94, 20.54.110.249, 23.0.174.185, 23.0.174.200, 40.112.88.60, 204.79.197.200, 13.107.21.200, 23.10.249.26, 23.10.249.43, 95.100.54.203, 20.82.209.183 Excluded domains from analysis (whitelisted): odc-web-brs.onedrive.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, l-0004.dc-msedge.net, www.tm.a.prd.aadg.trafficmanager.net, wns.notify.trafficmanager.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com, www.bing.com, client.wns.windows.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, dual-a-0001.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, wu-shim.trafficmanager.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Auftragsbest#U00_fc4fc4a7388d481e966f33dfe07a9685c50949f_fd6e1fa4_152df338\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	14050
Entropy (8bit):	3.768900952000095
Encrypted:	false
SSDEEP:	192:0trmDH0jHBUZMXud/jrhkcZd/u7sRS274ItXIZx:JrKBUZMXIjrd/u7sRX4It8x
MD5:	5F550815AD78B4CE79C8CFDF70D64A2E
SHA1:	DB8759B0B3E8EE89272BA6136EC46DCC6F852EB1
SHA-256:	656C7990FB99C617A43F9593A5C38533B2C857EEB3E7D117DCC0A6EDA5EABC04
SHA-512:	A51B0C88E689826FA41354FECA07A3049C4A7189E20C8DF3A4D85EB9224DF809B028A8A51F7561CD53E12E083C5226B800553F74753E72FF9E086B3E9EB41A23
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.7.2.7.0.2.2.1.4.3.9.6.3.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.7.2.7.0.2.2.5.7.3.9.5.8.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.6.9.2.5.0.6.f.-.3.9.f.4.-.4.c.d.d.-.8.7.3.d.-.e.a.1.8.c.f.0.8.7.5.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.8.7.b.2.c.5.-.8.d.c.0.-.4.e.f.1.-.b.1.c.6.-.3.e.b.8.9.b.3.3.2.7.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.u.f.t.r.a.g.s.b.e.s.t.#.U.0.0.e.4.t.i.g.u.n.g. . .D.r.i.n.g.e.n.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.0.c.-.0.0.0.1.-.0.0.1.c.-.0.e.1.f.-.2.f.a.a.1.1.b.4.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.7.5.8.1.f.c.e.c.9.6.c.4.f.a.6.5.7.4.b.d.7.5.3.e.c.0.d.c.3.a.0.0.0.0.0.f.f.f.f.!.0.0.0.0.0.b.a.8.d.a.5.d.5.1.a.7.7.7.9.8.0.1.0.e.6.b.1.a.2.a.8.e.7.5.9.c.8.b.c.b.e.7.f.a.!.A.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB3B.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Sep 28 02:37:03 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	116038
Entropy (8bit):	2.043608254343892
Encrypted:	false
SSDEEP:	384:Ju/H6m53eKUK59PmqSvzX0MVVM6aTcWIDts+fNHBo3ctSbj:Ju/H6m5uKPdVSLX0MdBDtNFqN3
MD5:	E29D19EB206DEE826B86A011C022E50F
SHA1:	FE1ACBBE2EC8649F53F2236FE45307A3E4BC63B6
SHA-256:	C889501BD8518D2A629E00AE5853A0A73440B1E13ACA98804F0A083CB0CECD46
SHA-512:	8ECEE057FDE4B73D9214636E89B8E31285299360CD2F7148555FBE75FB3A8453CABC4F6B75B93DACDB3044D3D7BF0F48BC60A693A836C9F98FFA50375EC21799
Malicious:	false
Reputation:	low
Preview:	MDMP....... .........Ra...................U...........B......@'......GenuineIntelW...........T.............Ra.............................0..2...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE4C2.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8458
Entropy (8bit):	3.705313630966505
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNii6l6IU46YFbSUPtAS5gmfU0SX9ZCprq89bylsfDGm:RrlsNiD6IU46YZSUPtAS5gmfvSX9Cy+j
MD5:	5FD027C85FCAE639A283DFBA683DAE2F
SHA1:	932A899D679019E4CB6AB8FBB808520D4E2EF77B
SHA-256:	85D7A537A31DE1CF4F8E6E9270289B2D6BC5B90750C7B1D60ECBAF3D1312AF2C
SHA-512:	2E7FA6F0558F1EBD61DE4FEF331B465FAF147C394C2FB7362FD14F10CFF59ADEB52EA744F07D3D0E80E4C843865DCDCE1D3F24043AB327ACE4616FED1A4D119F
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.1.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE724.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4723
Entropy (8bit):	4.524380219533162
Encrypted:	false
SSDEEP:	48:cvIwSD8zsuJgtWI9cvIDWSC8B/c8fm8M4JpAJfZF3MC+q821vUMTuuZuEd:uITfk3vIySN3JpAJbMCZxdTuuZuEd
MD5:	3C3A7CA283B828F191B4517026A3EAE9
SHA1:	D1CEBB7FAC080A1DD605BED92EC6EE59DAB67C06
SHA-256:	201A777102B31BCE81BA3DF5DC1CF1B8F58DD4C746507C2A312119F5C97E9AFD
SHA-512:	67607F75F8676210C28D7804C5CDF2661E41C6E08B0F8CFB5AF334D73F792DBE6AB96155780CD3F00D6C9FDE28E05A0A2EB7B6B73C564A9FBB5D08F9A3255199
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1185827" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.785741094468421
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	Auftragsbest#U00e4tigung Dringend.exe
File size:	831488
MD5:	b8d99b6c405fc56bd8a1448421d64eac
SHA1:	0ba8da5d51a77798010e6b1a2a8e759c8bcbe7fa
SHA256:	e2bf9e2c787866d86fc1ae939c378f7d22fab268a00ae163fff1b79332df2088
SHA512:	5b1408332ce31003708a5de87bb2b7e3df4731d1d978a3f9dab992a12ccea57ab04239955fd3a56af867fd160ede3d3830826231352bacd0416f887e4e3c070f
SSDEEP:	24576:DMvnUyU3fec2QPesTHGIZHrIzvlZwXI7Dyj3SaH+MJF:DqUjes
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0a121272a98ce659

Static PE Info

General
Entrypoint:	0x4668bc
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ff0bb68e944131943365efbe4d5b9737

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 004651B8h
call 00007FC864C3FD49h
mov eax, dword ptr [00468C18h]
mov eax, dword ptr [eax]
call 00007FC864C964F9h
mov ecx, dword ptr [00468D1Ch]
mov eax, dword ptr [00468C18h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00464E40h]
call 00007FC864C964F9h
mov eax, dword ptr [00468C18h]
mov eax, dword ptr [eax]
call 00007FC864C9656Dh
call 00007FC864C3DAE4h
lea eax, dword ptr [eax+00h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6d000	0x2574	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x79000	0x5a800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0x6eb4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x71000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x6d6f4	0x5dc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x643c0	0x64400	False	0.526362316864	data	6.54514333706	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x66000	0x904	0xa00	False	0.573046875	data	5.83221478683	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x67000	0x1dbc	0x1e00	False	0.413802083333	data	3.99870200843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x69000	0x388c	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x6d000	0x2574	0x2600	False	0.320106907895	data	5.16694007124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x70000	0x34	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x71000	0x18	0x200	False	0.05078125	data	0.170145652003	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0x6eb4	0x7000	False	0.624337332589	data	6.67037544234	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x79000	0x5a800	0x5a800	False	0.245144164365	data	5.96186308461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
DONGA	0x79b9c	0x4cae4	PC bitmap, Windows 3.x format, 319 x 158 x 4	English	United States
RT_CURSOR	0xc6680	0x134	data	English	United States
RT_CURSOR	0xc67b4	0x134	data	English	United States
RT_CURSOR	0xc68e8	0x134	data	English	United States
RT_CURSOR	0xc6a1c	0x134	data	English	United States
RT_CURSOR	0xc6b50	0x134	data	English	United States
RT_CURSOR	0xc6c84	0x134	data	English	United States
RT_CURSOR	0xc6db8	0x134	data	English	United States
RT_BITMAP	0xc6eec	0x1d0	data	English	United States
RT_BITMAP	0xc70bc	0x1e4	data	English	United States
RT_BITMAP	0xc72a0	0x1d0	data	English	United States
RT_BITMAP	0xc7470	0x1d0	data	English	United States
RT_BITMAP	0xc7640	0x1d0	data	English	United States
RT_BITMAP	0xc7810	0x1d0	data	English	United States
RT_BITMAP	0xc79e0	0x1d0	data	English	United States
RT_BITMAP	0xc7bb0	0x1d0	data	English	United States
RT_BITMAP	0xc7d80	0x1d0	data	English	United States
RT_BITMAP	0xc7f50	0x1d0	data	English	United States
RT_BITMAP	0xc8120	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc8208	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xc8670	0x988	data	English	United States
RT_ICON	0xc8ff8	0x10a8	data	English	United States
RT_ICON	0xca0a0	0x25a8	data	English	United States
RT_ICON	0xcc648	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0	English	United States
RT_DIALOG	0xd0870	0x52	data
RT_DIALOG	0xd08c4	0x52	data
RT_STRING	0xd0918	0x33c	data
RT_STRING	0xd0c54	0x2b4	data
RT_STRING	0xd0f08	0xc8	data
RT_STRING	0xd0fd0	0xec	data
RT_STRING	0xd10bc	0x378	data
RT_STRING	0xd1434	0x40c	data
RT_STRING	0xd1840	0x394	data
RT_STRING	0xd1bd4	0x400	data
RT_STRING	0xd1fd4	0x190	data
RT_STRING	0xd2164	0xcc	data
RT_STRING	0xd2230	0x1c4	data
RT_STRING	0xd23f4	0x3c8	data
RT_STRING	0xd27bc	0x338	data
RT_STRING	0xd2af4	0x294	data
RT_RCDATA	0xd2d88	0x10	data
RT_RCDATA	0xd2d98	0x2b0	data
RT_RCDATA	0xd3048	0x692	Delphi compiled form 'TForm1'
RT_GROUP_CURSOR	0xd36dc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd36f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd3704	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd3718	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd372c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd3740	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xd3754	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xd3768	0x4c	data	English	United States

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OffsetRect, OemToCharA, MessageBoxA, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, RectVisible, RealizePalette, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetTextMetricsA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, lstrcmpiA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalFindAtomA, GlobalDeleteAtom, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2021 19:36:41.338572025 CEST	54154	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:36:41.371993065 CEST	53	54154	8.8.8.8	192.168.2.3
Sep 27, 2021 19:36:51.279550076 CEST	52806	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:36:51.343786001 CEST	53	52806	8.8.8.8	192.168.2.3
Sep 27, 2021 19:36:52.597925901 CEST	53910	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:36:52.612428904 CEST	53	53910	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:00.747107983 CEST	64021	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:00.761286020 CEST	53	64021	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:01.062724113 CEST	60784	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:01.076313019 CEST	53	60784	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:06.493962049 CEST	51143	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:06.508413076 CEST	53	51143	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:07.007255077 CEST	56009	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:07.020061970 CEST	53	56009	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:25.650806904 CEST	59026	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:25.726810932 CEST	53	59026	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:26.417232990 CEST	49572	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:26.430655003 CEST	53	49572	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:26.773639917 CEST	60823	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:26.792924881 CEST	53	60823	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:26.878597021 CEST	52130	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:26.965851068 CEST	53	52130	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:26.981825113 CEST	55102	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:27.008719921 CEST	53	55102	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:27.505029917 CEST	56236	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:27.579572916 CEST	53	56236	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:28.053570032 CEST	56527	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:28.067531109 CEST	53	56527	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:28.453282118 CEST	49559	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:28.467756033 CEST	53	49559	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:28.508270025 CEST	52650	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:28.573246956 CEST	53	52650	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:29.051516056 CEST	63297	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:29.064997911 CEST	53	63297	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:29.757153034 CEST	58361	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:29.773168087 CEST	53	58361	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:30.443042040 CEST	53615	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:30.453489065 CEST	50728	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:30.456218004 CEST	53	53615	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:30.467170000 CEST	53	50728	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:30.560728073 CEST	53777	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:30.574538946 CEST	53	53777	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:30.792747021 CEST	57106	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:30.806591988 CEST	53	57106	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:34.083029985 CEST	60352	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:34.103513956 CEST	53	60352	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:35.399905920 CEST	56773	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:35.414774895 CEST	53	56773	8.8.8.8	192.168.2.3
Sep 27, 2021 19:37:46.122070074 CEST	60982	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:37:46.135545969 CEST	53	60982	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:01.361005068 CEST	58058	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:01.391515017 CEST	53	58058	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:03.814538956 CEST	64367	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:03.849915028 CEST	53	64367	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:04.705557108 CEST	51539	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:04.740397930 CEST	53	51539	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:08.482204914 CEST	55393	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:08.495357990 CEST	53	55393	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:24.928268909 CEST	50585	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:24.947499037 CEST	53	50585	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:26.580008030 CEST	63456	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:26.592530966 CEST	53	63456	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:40.596544981 CEST	58540	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:40.600405931 CEST	55108	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:40.630470037 CEST	53	58540	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:40.633479118 CEST	53	55108	8.8.8.8	192.168.2.3
Sep 27, 2021 19:38:56.600507021 CEST	58942	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:38:56.612618923 CEST	53	58942	8.8.8.8	192.168.2.3
Sep 27, 2021 19:39:14.787744999 CEST	64432	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:39:14.822299004 CEST	53	64432	8.8.8.8	192.168.2.3
Sep 27, 2021 19:39:31.604986906 CEST	49250	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:39:31.619334936 CEST	53	49250	8.8.8.8	192.168.2.3
Sep 27, 2021 19:39:33.414155960 CEST	63490	53	192.168.2.3	8.8.8.8
Sep 27, 2021 19:39:33.427772999 CEST	53	63490	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 27, 2021 19:36:51.279550076 CEST	192.168.2.3	8.8.8.8	0x9965	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Sep 27, 2021 19:36:51.343786001 CEST	8.8.8.8	192.168.2.3	0x9965	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 19:36:52.612428904 CEST	8.8.8.8	192.168.2.3	0xa0c5	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net	CNAME (Canonical name)	IN (0x0001)
Sep 27, 2021 19:37:06.508413076 CEST	8.8.8.8	192.168.2.3	0x2f3e	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net	CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Auftragsbest#U00e4tigung Dringend.exe PID: 6412 Parent PID: 4960

General

Start time:	19:36:39
Start date:	27/09/2021
Path:	C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Auftragsbest#U00e4tigung Dringend.exe'
Imagebase:	0x400000
File size:	831488 bytes
MD5 hash:	B8D99B6C405FC56BD8A1448421D64EAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000000.335989572.00000000022D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000002.359668603.00000000022D4000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000000.00000000.331391128.00000000022D4000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: WerFault.exe PID: 5128 Parent PID: 6412

General

Start time:	19:36:58
Start date:	27/09/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6412 -s 1928
Imagebase:	0x970000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Auftragsbest#U00e4tigung Dringend.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: Auftragsbest#U00e4tigung Dringend.exe PID: 6412 Parent PID: 4960

General

Analysis Process: WerFault.exe PID: 5128 Parent PID: 6412

General

Disassembly

Code Analysis