Windows Analysis Report calc.exe

ID:	510683
Product:	CloudBasic
Start time:	04:46:11
Start date:	28.10.2021
Sample:	calc.exe
Cookbook:	defaultwindowsfilecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ce76ae9d476b9c0daa25daf4c6dd4909
SHA1:	f574aa3bbe554363a6f6d1d648c31505bf92bfe5
SHA256:	05f3ac7f197b690f306c521b658c935fbf057d737ad6791cee6e2553b87d090b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_calc.exe_a324a77e4c56ca8bd619ca72911d9255073bebc_5b8918c7_1245ae87\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	F245D44CC82F545DC6E484C06F40B920	F2B2E22600DFBA8563B3716E23E60E683891158F	CE3FF27C0287A6E3B4CDAB1B9515691D37C0EF622313FD82075C4C3EAEBBC10C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER95DF.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Oct 28 11:47:38 2021, 0x1205a4 type	98D5FA5E6A8954E864AE02B3504DB291	C7704D77FCC7F9B33B6E613540F4C4AE939C3C9A	AF5921F07E715D12C6B7CBB727D0D0D79DBC498B07C2B036E39E92F107D37CEA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E1D.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	F9DA24943765B4983D016EFEBD1DE0B4	2D958CB73FB2DA4B72597856B1B873B003F3C267	34FE316FE4C82EAA7DF463D8BBEDF39D229AB8BFF23966D69D51F3DF864FD31E
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA070.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9DB39AE73B7D1BB792E2CF4B5CB5D7C4	E482B880DB6D1036C5319C3A9D6D53DFADF2E284	976605A6B86B34AFB8E27477570C0D27D738FDC3594E6C2695DBB745559CF15D
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	182449C5F258C42DA5001BCC9AB94805	73C00A7372A320893AD74BFD831AC8E6ACEF9E23	02746EF9BF8DF9A436C8CA45EC344BAB17EEFF35685316435AB7257B26C42F07
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	8D077D354AF18790A0DCEB404ED6CA24	61B93D1F3247659D4C468099276D2510A9870C3F	4B8DDD5AB67C2126666BE9D404FE798E39B1DFD82CE36199D474880C75C5B3F5
\Device\ConDrv	ASCII text, with CRLF, LF line terminators	603AE28A4C3B3266A3A66CBEB32ADEAC	DA261060E90CB51C90FC6E004433558F776B3A91	3746AD9375DC9DB19B934CBE8C4034091221508770A5854FDBFFADB4348E19FB

AV Detection:

Multi AV Scanner detection for submitted file

Source: calc.exe	Virustotal: Detection: 54%			Perma Link
Source: calc.exe	ReversingLabs: Detection: 26%

Antivirus / Scanner detection for submitted sample

Source: calc.exe

Avira: detected

Machine Learning detection for sample

Source: calc.exe

Joe Sandbox ML: detected

Compliance:

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49706 version: TLS 1.2

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: calc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:	Binary string: mscorlib.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: C:\Users\jpint\OneDrive\Desktop\BuilderBot\BuilderBot\bin\Release\stub\un_priv\DarkEdition\obj\Release\calc.pdb source: calc.exe
Source:	Binary string: calc.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: calc.exe, 00000000.00000002.367647952.00000000031D9000.00000004.00000001.sdmp, WER95DF.tmp.dmp.6.dr

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\calc.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-3Ch]		0_2_0643A56C
Source: C:\Users\user\Desktop\calc.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-3Ch]		0_2_0643B3C8
Source: C:\Users\user\Desktop\calc.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h		0_2_07E6CB98
Source: C:\Users\user\Desktop\calc.exe	Code function: 4x nop then cmp dword ptr [ebp-50h], 00000000h		0_2_07E64B20

Networking:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\Desktop\calc.exe	Domain query: cdn.discordapp.com
Source: C:\Users\user\Desktop\calc.exe	Network Connect: 162.159.129.233 443			Jump to behavior

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /attachments/897402450376536075/897465559711633408/8NMrqq.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/897223707649515602/897228595318124554/ascii_ART.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.com

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden)

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 02:47:25 GMTContent-Type: application/xml; charset=UTF-8Content-Length: 223Connection: closeCF-Ray: 6a50d6df1de5704b-FRACache-Control: private, max-age=0Expires: Thu, 28 Oct 2021 02:47:25 GMTVary: Accept-EncodingCF-Cache-Status: MISSAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-GUploader-UploadID: ADPycdvmIJ6fyxN-S_Ql7MC3Nxbuwa3jy81FwES3sKTaMMXv4jW4iuObIXKgFvb0UnZQx9eqZK_RhW3Ray2ankX5oQcX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=FDLVEnkmb%2FsNn8CmbbO5LGqGPJQYPAvbM4HW6vJSl%2FhNcDhnDUprMVf2%2FvGs7shDtytSOU3vj4YZNk5nZnXCMdZIwtaVDOhNnSZZQGuZe%2B%2B198hfkv8qayNPrbvSCpG3lhavTQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare

URLs found in memory or binary data

Source: calc.exe, 00000000.00000002.367540151.0000000003141000.00000004.00000001.sdmp	String found in binary or memory: http://cdn.discordapp.com
Source: calc.exe, 00000000.00000000.335045493.0000000007F04000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: calc.exe, 00000000.00000002.375768006.0000000007F8B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.verisT
Source: calc.exe, 00000000.00000002.372198113.0000000006E40000.00000004.00000001.sdmp	String found in binary or memory: http://my.netscape.com/publish/formats/rss-0.91.dtd
Source: calc.exe, 00000000.00000002.372198113.0000000006E40000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: calc.exe, 00000000.00000002.367511473.0000000003128000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: calc.exe, 00000000.00000002.372198113.0000000006E40000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.d
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.di
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.dis
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.disc
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.disco
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discor
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discord
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discorda
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordap
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.c
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.co
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/a
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/at
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/att
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/atta
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attac
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attach
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachm
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachme
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachmen
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachment
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp, calc.exe, 00000000.00000000.342834254.000000000117B000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/8
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/89
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/8972
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/89722
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/8972237
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/89722370
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/8972237076
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/89722370764
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/8972237076495
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/89722370764951
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/8972237076495156
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/89722370764951560
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953181
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531812
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953181245
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531812455
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/a
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/as
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/asc
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/asci
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_A
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_AR
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.t
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.tx
Source: calc.exe, 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.txt
Source: calc.exe, 00000000.00000002.374635326.00000000074B0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.txtd
Source: calc.exe, 00000000.00000002.374635326.00000000074B0000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.txteB
Source: calc.exe, 00000000.00000000.343240898.0000000002FDE000.00000004.00000010.sdmp, calc.exe, 00000000.00000002.367511473.0000000003128000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897402450376536075/897465559711633408/8NMrqq.txt
Source: calc.exe, 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/897402450376536075/897465559711633408/8NMrqq.txtP
Source: calc.exe, 00000000.00000002.367511473.0000000003128000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.comhgb

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /attachments/897402450376536075/897465559711633408/8NMrqq.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/897223707649515602/897228595318124554/ascii_ART.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.com

Uses secure TLS version for HTTPS connections

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.3:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: calc.exe, 00000000.00000000.342834254.000000000117B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Yara signature match

Source: calc.exe, type: SAMPLE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.aa0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.aa0000.3.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.calc.exe.aa0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.343240898.0000000002FDE000.00000004.00000010.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.343254796.00000000030D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.367609669.0000000003183000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.329674852.0000000003183000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.343824955.0000000005750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.305223353.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.367418794.00000000030D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.342834254.000000000117B000.00000004.00000020.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.366800750.000000000117B000.00000004.00000020.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.329221190.000000000117B000.00000004.00000020.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.366316265.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.368179872.0000000005750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.343377343.0000000003183000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.367396933.0000000002FDE000.00000004.00000010.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.339982172.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.330105874.0000000005750000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.329031309.0000000000AA2000.00000002.00020000.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.329564277.00000000030D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =

One or more processes crash

Source: C:\Users\user\Desktop\calc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 2188

Detected potential crypto function

Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06437EC8		0_2_06437EC8
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0643A720		0_2_0643A720
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0643BB50		0_2_0643BB50
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_064381E0		0_2_064381E0
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06439988		0_2_06439988
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06439EE0		0_2_06439EE0
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06436EE9		0_2_06436EE9
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06436EF8		0_2_06436EF8
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_064337D8		0_2_064337D8
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_064364D8		0_2_064364D8
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_064364E0		0_2_064364E0
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0643BB4F		0_2_0643BB4F
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06438B99		0_2_06438B99
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06438BA8		0_2_06438BA8
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06432840		0_2_06432840
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06431010		0_2_06431010
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_06431020		0_2_06431020
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_064328D8		0_2_064328D8
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_064328B0		0_2_064328B0
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0643997A		0_2_0643997A
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_064331F0		0_2_064331F0
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_07950DA8		0_2_07950DA8
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0795DD78		0_2_0795DD78
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_07955CD0		0_2_07955CD0
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0795AB58		0_2_0795AB58
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_079579A0		0_2_079579A0
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_07953938		0_2_07953938
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0795BE58		0_2_0795BE58
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_07950D99		0_2_07950D99
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_0795AB48		0_2_0795AB48
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_07957990		0_2_07957990
Source: C:\Users\user\Desktop\calc.exe	Code function: 0_2_07E60EF0		0_2_07E60EF0

Sample file is different than original file name gathered from version info

Source: calc.exe, 00000000.00000002.370090913.00000000067B0000.00000004.00000001.sdmp	Binary or memory string: get_OriginalFilename vs calc.exe
Source: calc.exe, 00000000.00000002.370090913.00000000067B0000.00000004.00000001.sdmp	Binary or memory string: originalFilename vs calc.exe
Source: calc.exe, 00000000.00000002.370090913.00000000067B0000.00000004.00000001.sdmp	Binary or memory string: LegalCopyright!OriginalFilename vs calc.exe
Source: calc.exe, 00000000.00000002.370090913.00000000067B0000.00000004.00000001.sdmp	Binary or memory string: SpecialBuild%File: %InternalName: %OriginalFilename: %FileVersion: %FileDescription: %Product: %ProductVersion: %Debug: %Patched: %PreRelease: %PrivateBuild: %SpecialBuild: %Language: vs calc.exe
Source: calc.exe, 00000000.00000000.342834254.000000000117B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs calc.exe

PE file contains strange resources

Source: calc.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample is known by Antivirus

Source: calc.exe	Virustotal: Detection: 54%
Source: calc.exe	ReversingLabs: Detection: 26%

Sample reads its own file content

Source: C:\Users\user\Desktop\calc.exe

File read: C:\Users\user\Desktop\calc.exe

Jump to behavior

PE file has an executable .text section and no other executable section

Source: calc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\calc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\calc.exe 'C:\Users\user\Desktop\calc.exe'
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 2188
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 2188
Source: C:\Users\user\Desktop\calc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 2188			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\calc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C9326B03-E51D-43A3-9394-9B8ECCDBAD9B}\InprocServer32

Jump to behavior

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER95DF.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal72.evad.winEXE@6/7@1/2

Found detection on Joe Sandbox Cloud Basic with higher score

Source: calc.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5472
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3200:120:WilError_01

Reads the hosts file

Source: C:\Users\user\Desktop\calc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\calc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: calc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: calc.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

PE file contains a debug data directory

Source: calc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: mscorlib.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: C:\Users\jpint\OneDrive\Desktop\BuilderBot\BuilderBot\bin\Release\stub\un_priv\DarkEdition\obj\Release\calc.pdb source: calc.exe
Source:	Binary string: calc.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: System.Core.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: System.Configuration.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: System.Xml.pdb source: WER95DF.tmp.dmp.6.dr
Source:	Binary string: System.pdb source: calc.exe, 00000000.00000002.367647952.00000000031D9000.00000004.00000001.sdmp, WER95DF.tmp.dmp.6.dr

Data Obfuscation:

.NET source code contains potential unpacker

Source: calc.exe, DarkEdition/signature.cs	.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.aa0000.0.unpack, DarkEdition/signature.cs	.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.aa0000.3.unpack, DarkEdition/signature.cs	.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.aa0000.1.unpack, DarkEdition/signature.cs	.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.calc.exe.aa0000.0.unpack, DarkEdition/signature.cs	.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Binary contains a suspicious time stamp

Source: calc.exe

Static PE information: 0xFB362630 [Mon Jul 23 10:32:16 2103 UTC]

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\calc.exe	Memory allocated: 2D40000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Memory allocated: 30D0000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Memory allocated: 50D0000 memory reserve | memory write watch			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: calc.exe, 00000000.00000002.374478680.00000000073F8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll|y
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\calc.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\calc.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Process queried: DebugPort			Jump to behavior

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Users\user\Desktop\calc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 2188

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\calc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\Desktop\calc.exe	Domain query: cdn.discordapp.com
Source: C:\Users\user\Desktop\calc.exe	Network Connect: 162.159.129.233 443			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\calc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 2188

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: calc.exe, 00000000.00000000.329435421.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: calc.exe, 00000000.00000000.329435421.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: calc.exe, 00000000.00000000.329435421.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: calc.exe, 00000000.00000000.329435421.00000000017A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\calc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Queries volume information: C:\Users\user\Desktop\calc.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\calc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\calc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query time zone information

Source: C:\Users\user\Desktop\calc.exe

Code function: 0_2_07957824 GetTimeZoneInformation,

0_2_07957824

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: procexp.exe