Windows Analysis Report calc.exe

Overview

General Information

Sample Name: calc.exe
Analysis ID: 510683
MD5: ce76ae9d476b9c0daa25daf4c6dd4909
SHA1: f574aa3bbe554363a6f6d1d648c31505bf92bfe5
SHA256: 05f3ac7f197b690f306c521b658c935fbf057d737ad6791cee6e2553b87d090b
Infos:

Most interesting Screenshot:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Found detection on Joe Sandbox Cloud Basic with higher score
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
.NET source code contains potential unpacker
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
IP address seen in connection with other malware
Enables debug privileges

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: calc.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: calc.exe Virustotal: Detection: 54% Perma Link
Source: calc.exe ReversingLabs: Detection: 26%
Machine Learning detection for sample
Source: calc.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: calc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.260801117.0000000002F4D000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb& source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb2 source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbh source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: rasadhlp.pdb~ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3Rm source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbHL source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb:0 source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb= source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.260801117.0000000002F4D000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: kDC:\Users\user\Desktop\calc.pdb source: calc.exe, 00000000.00000000.252775219.00000000006F8000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: winhttp.pdbZ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.pdbMZ@ source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbd source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbG source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.260565634.0000000002F42000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdbV source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.pdb source: calc.exe, 00000000.00000000.254647015.0000000002729000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb* source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: C:\Users\jpint\OneDrive\Desktop\BuilderBot\BuilderBot\bin\Release\stub\un_priv\DarkEdition\obj\Release\calc.pdb source: calc.exe
Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.260585475.0000000002F53000.00000004.00000001.sdmp
Source: Binary string: calc.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbh source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\Desktop\calc.exe Domain query: cdn.discordapp.com
Source: C:\Users\user\Desktop\calc.exe Network Connect: 162.159.135.233 443 Jump to behavior
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/897402450376536075/897465559711633408/8NMrqq.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/897223707649515602/897228595318124554/ascii_ART.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.com
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 02:56:06 GMTContent-Type: application/xml; charset=UTF-8Content-Length: 223Connection: closeCF-Ray: 6a50e397b8ab1756-FRACache-Control: private, max-age=0Expires: Thu, 28 Oct 2021 02:56:06 GMTVary: Accept-EncodingCF-Cache-Status: MISSAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-GUploader-UploadID: ADPycdso1L-ylGX3bmenRtNOQmdon87QxmC7cXUyPENI7fDPUtJpk_9x5Bbi4ZgqkkYUdWdLYHwGtl2nhQu3WyOEx-8lP-t6kAX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=X0aOWmo3%2Bd2J5p5kYEmgATNoxtwSQamhuDwF0HfeVv3A%2FULL0goDlzj8myWfYgoN8Wz%2BTegRCRL%2FE6v2%2BH8q99WsdaRWi95pVvtRlzG%2F%2B%2BEfjTXgU25DZRc%2Botur%2FhsNBmyD9A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
Source: calc.exe, 00000000.00000002.293292330.0000000002691000.00000004.00000001.sdmp String found in binary or memory: http://cdn.discordapp.com
Source: WerFault.exe, 00000005.00000003.289499864.0000000004EDB000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: calc.exe, 00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.5.dr String found in binary or memory: http://upx.sf.net
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.d
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.di
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.dis
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.disc
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.disco
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discor
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discord
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discorda
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordap
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.c
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.co
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/a
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/at
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/att
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/atta
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attac
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attach
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachm
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachme
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachmen
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachment
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/8
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/89
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/8972
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/89722
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/8972237
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/89722370
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/8972237076
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/89722370764
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/8972237076495
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/89722370764951
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/8972237076495156
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/89722370764951560
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953181
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531812
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953181245
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531812455
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/a
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/as
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/asc
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/asci
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_A
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_AR
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.t
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.tx
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.txt
Source: calc.exe, 00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/897402450376536075/897465559711633408/8NMrqq.txt
Source: calc.exe, 00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com4
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.comD8
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/897402450376536075/897465559711633408/8NMrqq.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /attachments/897223707649515602/897228595318124554/ascii_ART.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.com
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2

System Summary:

barindex
Found detection on Joe Sandbox Cloud Basic with higher score
Source: calc.exe Joe Sandbox Cloud Basic: Detection: malicious Score: 72 Perma Link
Yara signature match
Source: calc.exe, type: SAMPLE Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.320000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.320000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.320000.2.unpack, type: UNPACKEDPE Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.calc.exe.320000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.252642988.0000000000322000.00000002.00020000.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.291985012.0000000000322000.00000002.00020000.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.245005606.0000000000322000.00000002.00020000.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.254525892.0000000002677000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.254621493.00000000026D3000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.293367777.00000000026D3000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.253884839.0000000000322000.00000002.00020000.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.253255248.0000000002677000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: calc.exe PID: 2952, type: MEMORYSTR Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: WerFault.exe PID: 5944, type: MEMORYSTR Matched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
One or more processes crash
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 2104
PE file contains strange resources
Source: calc.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: calc.exe Virustotal: Detection: 54%
Source: calc.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\calc.exe File read: C:\Users\user\Desktop\calc.exe Jump to behavior
Source: calc.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\calc.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\calc.exe 'C:\Users\user\Desktop\calc.exe'
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\calc.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 2104
Source: C:\Users\user\Desktop\calc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3100:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2952
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DC6.tmp Jump to behavior
Source: classification engine Classification label: mal80.evad.winEXE@3/7@1/2
Source: C:\Users\user\Desktop\calc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\calc.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\calc.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: calc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: calc.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: calc.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.260801117.0000000002F4D000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb& source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb2 source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbh source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: rasadhlp.pdb~ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3Rm source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbHL source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb:0 source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb= source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.260801117.0000000002F4D000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: kDC:\Users\user\Desktop\calc.pdb source: calc.exe, 00000000.00000000.252775219.00000000006F8000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: winhttp.pdbZ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.pdbMZ@ source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbd source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbG source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.260565634.0000000002F42000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdbV source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.pdb source: calc.exe, 00000000.00000000.254647015.0000000002729000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb* source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: C:\Users\jpint\OneDrive\Desktop\BuilderBot\BuilderBot\bin\Release\stub\un_priv\DarkEdition\obj\Release\calc.pdb source: calc.exe
Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.260585475.0000000002F53000.00000004.00000001.sdmp
Source: Binary string: calc.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbh source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: calc.exe, DarkEdition/signature.cs .Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.320000.1.unpack, DarkEdition/signature.cs .Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.320000.0.unpack, DarkEdition/signature.cs .Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.calc.exe.320000.0.unpack, DarkEdition/signature.cs .Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.320000.2.unpack, DarkEdition/signature.cs .Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: calc.exe Static PE information: 0xFB362630 [Mon Jul 23 10:32:16 2103 UTC]

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WerFault.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: Amcache.hve.5.dr Binary or memory string: VMware
Source: Amcache.hve.5.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: WerFault.exe, 00000005.00000002.291345050.0000000004F73000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.5.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.5.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr Binary or memory string: VMware7,1
Source: Amcache.hve.5.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000005.00000002.291282032.0000000004EB9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.5.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.dr Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.5.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\calc.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\calc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\Desktop\calc.exe Domain query: cdn.discordapp.com
Source: C:\Users\user\Desktop\calc.exe Network Connect: 162.159.135.233 443 Jump to behavior
Source: calc.exe, 00000000.00000000.254367782.0000000001060000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: calc.exe, 00000000.00000000.254367782.0000000001060000.00000002.00020000.sdmp Binary or memory string: Progman
Source: calc.exe, 00000000.00000000.254367782.0000000001060000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: calc.exe, 00000000.00000000.254367782.0000000001060000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: calc.exe, 00000000.00000000.254367782.0000000001060000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\calc.exe Queries volume information: C:\Users\user\Desktop\calc.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\calc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.5.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510683 Sample: calc.exe Startdate: 28/10/2021 Architecture: WINDOWS Score: 80 22 Antivirus / Scanner detection for submitted sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Found detection on Joe Sandbox Cloud Basic with higher score 2->26 28 2 other signatures 2->28 6 calc.exe 15 3 2->6         started        process3 dnsIp4 18 cdn.discordapp.com 162.159.135.233, 443, 49706, 49707 CLOUDFLARENETUS United States 6->18 30 System process connects to network (likely due to code injection or exploit) 6->30 10 WerFault.exe 23 9 6->10         started        14 conhost.exe 6->14         started        signatures5 process6 dnsIp7 20 192.168.2.1 unknown unknown 10->20 16 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 10->16 dropped file8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.135.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/897402450376536075/897465559711633408/8NMrqq.txt false
    		high
    https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.txt false
      		high