Edit tour

Windows Analysis Report
CodeTwo QR Code Desktop Reader & Generator.exe

Overview

General Information

Sample Name:	CodeTwo QR Code Desktop Reader & Generator.exe
Analysis ID:	1318498
MD5:	0ded5d49693657eb59144402e7850936
SHA1:	64261610923af582c671d37dc108261cad2b20f5
SHA256:	d67855e9230429ea4348f5e2c5badab8647f2bc1cd66fc06be1fed2e0fe2cff5
Infos:

Detection

Score:	3
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

One or more processes crash

Checks if the current process is being debugged

Creates processes with suspicious names

Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64

CodeTwo QR Code Desktop Reader & Generator.exe (PID: 6816 cmdline: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe MD5: 0DED5D49693657EB59144402E7850936)

WerFault.exe (PID: 6884 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 768 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: certificate valid

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: E:\A\284\3084\Sources\Freeware\C2QRCodesReader.1.1.2\Output\Release\Obfuscated\CodeTwo QR Code Desktop Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe
Source:	Binary string: nC:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350693055.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: CodeTwo QR Code Desktop Reader & Generator.pdb source: WER4443.tmp.dmp.2.dr
Source:	Binary string: osymbols\exe\CodeTwo QR Code Desktop Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350693055.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: CodeTwo QR Code Desktop Reader & Generator.pdbz source: WER4443.tmp.dmp.2.dr
Source:	Binary string: mscorlib.pdb source: WER4443.tmp.dmp.2.dr
Source:	Binary string: \??\C:\Windows\exe\CodeTwo QR Code Desktop Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.00000000008CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\CodeTwo QR Code Desktop Reader & Generator.pdbpdbtor.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.0000000000900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER4443.tmp.dmp.2.dr
Source:	Binary string: mscorlib.ni.pdbRSDS.TH source: WER4443.tmp.dmp.2.dr
Source:	Binary string: Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.0000000000900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb48 source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350693055.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mtC:\Windows\CodeTwo QR Code Desktop Reader & Generator.pdb8 source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350693055.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\CodeTwo QR Code Desktop Reader & Generator.pdbne}}I source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.0000000000900000.00000004.00000020.00020000.00000000.sdmp

Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://certificates.godaddy.com/repository/0
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://certs.godaddy.com/repository/1301
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://certs.starfieldtech.com/repository/1402
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://crl.godaddy.com/gdig2s5-3.crl0
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/0
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/masterstarfield2issuing.crl0P
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://crl.starfieldtech.com/repository/sf_issuing_ca-g2.crt0T
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://crl.starfieldtech.com/sfroot-g2.crl0L
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://ocsp.godaddy.com/0
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://ocsp.godaddy.com/05
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://ocsp.starfieldtech.com/0;
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://ocsp.starfieldtech.com/0H
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://www.codetwo.com/exchange-rules-pro/how-to-add-qr-codes-to-exchange-email-signatures?sts=1375
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://www.codetwo.com/freeware/qr-code-desktop-reader?sts=1375
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://www.codetwo.com/solutions-for-exchange-server/?sts=1376
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: http://www.codetwo.com0
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: https://certs.godaddy.com/repository/0
Source: CodeTwo QR Code Desktop Reader & Generator.exe	String found in binary or memory: https://certs.starfieldtech.com/repository/0

Source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.00000000008CB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

memstr_4247be68-9

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.00000000008CB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameclr.dllT vs CodeTwo QR Code Desktop Reader & Generator.exe

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 768

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

File read: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

Jump to behavior

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: CodeTwo QR Code Desktop Reader & Generator.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 768

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6816

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4443.tmp

Jump to behavior

Source: CodeTwo QR Code Desktop Reader & Generator.exe

String found in binary or memory: chttp://www.codetwo.com/exchange-rules-pro/how-to-add-qr-codes-to-exchange-email-signatures?sts=1375@

Source: classification engine

Classification label: clean3.winEXE@2/6@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static file information: File size 1240424 > 1048576

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: certificate valid

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: CodeTwo QR Code Desktop Reader & Generator.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: E:\A\284\3084\Sources\Freeware\C2QRCodesReader.1.1.2\Output\Release\Obfuscated\CodeTwo QR Code Desktop Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe
Source:	Binary string: nC:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350693055.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: CodeTwo QR Code Desktop Reader & Generator.pdb source: WER4443.tmp.dmp.2.dr
Source:	Binary string: osymbols\exe\CodeTwo QR Code Desktop Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350693055.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: CodeTwo QR Code Desktop Reader & Generator.pdbz source: WER4443.tmp.dmp.2.dr
Source:	Binary string: mscorlib.pdb source: WER4443.tmp.dmp.2.dr
Source:	Binary string: \??\C:\Windows\exe\CodeTwo QR Code Desktop Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.00000000008CB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\CodeTwo QR Code Desktop Reader & Generator.pdbpdbtor.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.0000000000900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER4443.tmp.dmp.2.dr
Source:	Binary string: mscorlib.ni.pdbRSDS.TH source: WER4443.tmp.dmp.2.dr
Source:	Binary string: Reader & Generator.pdb source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.0000000000900000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb48 source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350693055.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mtC:\Windows\CodeTwo QR Code Desktop Reader & Generator.pdb8 source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350693055.00000000006F9000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\CodeTwo QR Code Desktop Reader & Generator.pdbne}}I source: CodeTwo QR Code Desktop Reader & Generator.exe, 00000000.00000002.350733315.0000000000900000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

File created: \codetwo qr code desktop reader & generator.exe

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe

Queries volume information: C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe VolumeInformation

Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	Path Interception	1 Process Injection	1 Virtualization/Sandbox Evasion	1 Input Capture	21 Security Software Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	11 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
CodeTwo QR Code Desktop Reader & Generator.exe	0%	ReversingLabs
CodeTwo QR Code Desktop Reader & Generator.exe	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.codetwo.com0	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.godaddy.com/gdroot-g2.crl0F	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://ocsp.starfieldtech.com/0H	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://www.codetwo.com/freeware/qr-code-desktop-reader?sts=1375	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://crl.starfieldtech.com/repository/0	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://crl.starfieldtech.com/repository/masterstarfield2issuing.crl0P	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
https://certs.starfieldtech.com/repository/0	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://certificates.godaddy.com/repository/0	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://certs.starfieldtech.com/repository/1402	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://crl.starfieldtech.com/sfroot-g2.crl0L	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://certs.godaddy.com/repository/1301	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://crl.starfieldtech.com/repository/sf_issuing_ca-g2.crt0T	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://upx.sf.net	Amcache.hve.2.dr	false		high
http://ocsp.starfieldtech.com/0;	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://www.codetwo.com/exchange-rules-pro/how-to-add-qr-codes-to-exchange-email-signatures?sts=1375	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://www.codetwo.com/solutions-for-exchange-server/?sts=1376	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
https://certs.godaddy.com/repository/0	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://certificates.godaddy.com/repository/gdig2.crt0	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://crl.godaddy.com/gdig2s5-3.crl0	CodeTwo QR Code Desktop Reader & Generator.exe	false		high
http://www.codetwo.com0	CodeTwo QR Code Desktop Reader & Generator.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1318498
Start date and time:	2023-10-03 09:14:23 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	CodeTwo QR Code Desktop Reader & Generator.exe
Detection:	CLEAN
Classification:	clean3.winEXE@2/6@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): www.bing.com, geo.prod.do.dsp.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, tse1.mm.bing.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, arc.msn.com, kv801.prod.do.dsp.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CodeTwo QR Code _6a9cee6549693584d19b24f5d63b0cafab81e8f_abb61cbe_1aba4ec2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9078197531055681
Encrypted:	false
SSDEEP:	96:6tFGoZQYnCzxDsTh5pXIQcQvc6QcEDMcw3Dr+BHUHZ0ownOgtYsH5Ef5BAKcp2OB:u4WMiHHBUZMXSaKM/u7sxS274ItGk8
MD5:	AA56C366F18C2D1662E8D5B7CC5BB8AC
SHA1:	965D3815D7EAB95BEBFC21A6C51955D343A6C92C
SHA-256:	B6CA00CD79F2E120BCB40D790FE79DEE0793A169A732F863682ACD694F84051E
SHA-512:	4D7A98A82DA61A46B3BC8A4086C42D11FF8731E6B9E571DF36FA87B00160385059EF0DEB7B1CDA1245FF35B883B13A429E2ED5548772B8E94629BBB156B258BF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.4.0.7.9.0.9.0.5.8.9.5.8.4.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.4.0.7.9.0.9.0.6.5.2.0.8.4.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.a.c.4.a.9.3.-.0.3.1.a.-.4.6.3.b.-.9.2.e.2.-.0.a.c.9.8.4.8.f.9.0.8.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.a.8.9.7.a.1.-.5.5.c.0.-.4.7.3.0.-.a.c.4.a.-.f.9.b.b.3.e.1.5.c.1.2.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.o.d.e.T.w.o. .Q.R. .C.o.d.e. .D.e.s.k.t.o.p. .R.e.a.d.e.r. .&. .G.e.n.e.r.a.t.o.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.o.d.e.T.w.o. .Q.R. .C.o.d.e. .D.e.s.k.t.o.p. .R.e.a.d.e.r. .&. .G.e.n.e.r.a.t.o.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.a.0.-.0.0.0.1.-.0.0.2.2.-.5.3.a.c.-.3.c.5.5.c.9.f.5.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.2.a.7.f.8.0.1.9.6.7.e.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4443.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 3 07:15:06 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	123955
Entropy (8bit):	3.7564421049360055
Encrypted:	false
SSDEEP:	768:ebaMbf6HTJdzFRP3pVNN1t0z32JrnTE0QB8kXNLTIQfJASBOZDTsiwABpanKMDxL:ezS9fRRVNdu38YekdLTIeAKqEiSbcO
MD5:	AC834B6F336DE8D7D2900274E62AAB41
SHA1:	24824E86A48A46EDB0CC7A2EAF65AE1F898DDA79
SHA-256:	51F5984C3DBCC63C4342E54BBD79AC0A092B445020774087E2A33E2AD34AA3B7
SHA-512:	D3DC27085B8230C000339767A13CB29902149F8CD6D80BE2E00E04A6CA84CAE35BB3E2DFF32B2C14FC9A982A15DBBBC27F3A2655A9F31D0E3A9B17C830C10671
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......z..e........................\...........................T.......8...........T...........................X...........D....................................................................U...........B..............GenuineIntelW...........T...........y..e.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER45AB.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8446
Entropy (8bit):	3.7031698005767173
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiSh646YWsSU7ndgmfH4x8SU+prM89bmxsfuim:RrlsNiE646YNSU7ndgmfH42SRmqfC
MD5:	F55DC805D63A3C3A964CF7E841BE63E6
SHA1:	2D9CB42E9AE43A7CA536CF40B7163D4C55CF3FE9
SHA-256:	64842C6336CD38BE2D7DCC7771E43896CF882E0A7D9088DBA9F6BA52A1DC420B
SHA-512:	4D144C7580E89DDB4427332D640FE2E1E70842BEBD999567C18BBB17602D85E8FCB8E49CC3E5E023E1C0D74C9E01FB07173ACC3D3243FF7A72F65CD5C86BEC1A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.1.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER461A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4859
Entropy (8bit):	4.538717908303393
Encrypted:	false
SSDEEP:	48:cvIwSD8zsiJgtWI9uQWgc8sqYjn8fm8M4JPo0oQjFb+q8AoX0yWPoSo87o8moFd:uITfwtpgrsqYwJ/dy5yPTd
MD5:	8746899D60D436A91EC96F7AFE6D3C39
SHA1:	D20AD46B7874EDC18390624552D4B9C237899B29
SHA-256:	5A31D3C9FADD6397431629470430A144D5C2665862FFB1A5F5418E916FF1EE5D
SHA-512:	ED66FC4894C4AC0896886867F62C5ECC8DF6F34B07F5FA8B9E212107A4386DAF35E703A08123024466B1F35A49C00252529904D7EAB0757054CF96786864316F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2244505" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.443384375163787
Encrypted:	false
SSDEEP:	12288:NDGDfcWUuo4dlQK5RAd4TFSzM578MJZRg0TtHu4wy/YGEDLvLDvrdd:lGDfcWUuo4dlQK5Xpb
MD5:	FEC46C74491533448A6812A79110AB28
SHA1:	E87102CEBF6410631E0E3F4307637F3BA93BDD63
SHA-256:	7F498853E3CAC0521B41889E0C08BA61E5A3394D0ED1913D87F2AEEB60BBA93F
SHA-512:	A762AB57083BC6C94D0E0AC2590CEC0AFAE716AABB45B38AC761BCF61F06BE6A94AEBA44DBABA41C85162A2A2913054955D9129FF401838BDF7FB4A0DBBA84C8
Malicious:	false
Reputation:	low
Preview:	regfg...g...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..~U................................................................................................................................................................................................................................................................................................................................................'.v.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	3.973735714577823
Encrypted:	false
SSDEEP:	384:6PV5JV2YnSR7MFez8fKFvKLr29zzRNYpvdaNDhC2ZgimTJkU:GrqYu7MFez8fKFvKLrMzRNYpvdaNVC23
MD5:	8AF691B6AC0AE195E071A3532446723A
SHA1:	502B11E029681CBF0B1A0C0E23298D4BC52B4BB5
SHA-256:	3BC018B3ADD2D71EE1075EE01E8D861B6419827E9DE55840076C218C8F41C573
SHA-512:	2408707A6886DE9A9CB7000573D1D9F893B32010250967103B4274AF36A892C4A4256EC8BE0DCC311B06FB5C631DEA55A0AD4438519AC545083DBC2771708DAD
Malicious:	false
Reputation:	low
Preview:	regff...f...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..~U................................................................................................................................................................................................................................................................................................................................................!.v.HvLE.N......f...........c...}.....Z$.v...................... ..hbin................p.\..,..........nk,...~U........(........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ...~U........ ...........P............... .......Z.......................Root........lf......Root....nk ...~U.....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.1110750777753315
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	CodeTwo QR Code Desktop Reader & Generator.exe
File size:	1'240'424 bytes
MD5:	0ded5d49693657eb59144402e7850936
SHA1:	64261610923af582c671d37dc108261cad2b20f5
SHA256:	d67855e9230429ea4348f5e2c5badab8647f2bc1cd66fc06be1fed2e0fe2cff5
SHA512:	08c7ec2beb8662448972eb85c8b48f6c312fbd17bfe3dbca716b90791240eb4270addfaab0ec805e0ff554387bfff219507bde71e4c56b7c3086b26793f1be2d
SSDEEP:	12288:G08iGvSdndfbLPDBpUsE/atF5ccqt73Pjb:fGGdfbLPDBp8S5ccqhPX
TLSH:	50456C3A7929AC01D04C11B1A960EBB801B46CB8E8B6D25DFEF6BF5F3D7334538A5905
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..\................................. ........@.. ..............................oR....@................................

File Icon


Icon Hash:	a85188e1a79aa5a0

Static PE Info

General

Entrypoint:	0x4ffa06
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C1CF369 [Fri Dec 21 14:06:33 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	2/14/2018 7:24:00 PM 2/14/2021 7:24:00 PM
Subject Chain	CN=CodeTwo Sp. z o.o. Sp.k., O=CodeTwo Sp. z o.o. Sp.k., L=Jelenia Gora, C=PL
Version:	3
Thumbprint MD5:	FBBCF902F5B78C6FCD84B3B9C2366081
Thumbprint SHA-1:	59F48D3702247DE35D778F5B6DCE6F6CBD42B838
Thumbprint SHA-256:	0598D0BC2BD4985DBE18A4927ED43AE5DC3B47FBACECD29647AC756FFAF269C1
Serial:	7CA6BA103F7C06F8

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xff9bc	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x100000	0x2d7fe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12b800	0x3568
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xff90a	0xb2	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfda0c	0xfdc00	False	0.43799838362068966	data	6.457221841752009	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x100000	0x2d7fe	0x2d800	False	0.1111564217032967	data	3.4464654185876036	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12e000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x1000ac	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.5966312056737588
RT_ICON	0x100538	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.4848360655737705
RT_ICON	0x100ee4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.3968105065666041
RT_ICON	0x101fb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.22520746887966805
RT_ICON	0x10457c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.1558219178082192
RT_ICON	0x1087c8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	0.08621505150304815
RT_ICON	0x111c94	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.0645480894357033
RT_ICON	0x1224e0	0xa628	Device independent bitmap graphic, 192 x 384 x 8, image size 36864, 256 important colors	0.08783148391950348
RT_ICON	0x12cb2c	0x54c	PNG image data, 256 x 256, 8-bit grayscale, non-interlaced	0.8915929203539823
RT_GROUP_ICON	0x12d0b4	0x84	data	0.7348484848484849
RT_VERSION	0x12d174	0x464	data	0.35320284697508897
RT_MANIFEST	0x12d614	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

• CodeTwo QR Code Desktop Reader & Generator.exe
• WerFault.exe

Click to jump to process

Memory Usage

• CodeTwo QR Code Desktop Reader & Generator.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• CodeTwo QR Code Desktop Reader & Generator.exe
• WerFault.exe

Click to jump to process

Target ID:	0
Start time:	09:15:05
Start date:	03/10/2023
Path:	C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\CodeTwo QR Code Desktop Reader & Generator.exe
Imagebase:	0x170000
File size:	1'240'424 bytes
MD5 hash:	0DED5D49693657EB59144402E7850936
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:15:05
Start date:	03/10/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 768
Imagebase:	0xb20000
File size:	434'592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CodeTwo QR Code Desktop Reader & Generator.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_CodeTwo QR Code _6a9cee6549693584d19b24f5d63b0cafab81e8f_abb61cbe_1aba4ec2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4443.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER45AB.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER461A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
CodeTwo QR Code Desktop Reader & Generator.exe