Loading ...

Play interactive tourEdit tour

Windows Analysis Report calc.exe

Overview

General Information

Sample Name:calc.exe
Analysis ID:510683
MD5:ce76ae9d476b9c0daa25daf4c6dd4909
SHA1:f574aa3bbe554363a6f6d1d648c31505bf92bfe5
SHA256:05f3ac7f197b690f306c521b658c935fbf057d737ad6791cee6e2553b87d090b
Infos:

Most interesting Screenshot:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Found detection on Joe Sandbox Cloud Basic with higher score
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
.NET source code contains potential unpacker
AV process strings found (often used to terminate AV products)
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
PE file contains strange resources
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
IP address seen in connection with other malware
Enables debug privileges

Classification

Process Tree

  • System is w10x64
  • calc.exe (PID: 2952 cmdline: 'C:\Users\user\Desktop\calc.exe' MD5: CE76AE9D476B9C0DAA25DAF4C6DD4909)
    • conhost.exe (PID: 3100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 5944 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 2104 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
calc.exeSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x158e:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000000.252642988.0000000000322000.00000002.00020000.sdmpSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x138e:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
00000000.00000002.291985012.0000000000322000.00000002.00020000.sdmpSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x138e:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
00000000.00000000.245005606.0000000000322000.00000002.00020000.sdmpSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x138e:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x10440:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
  • 0x10504:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmpSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x66a:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
  • 0x736:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
Click to see the 8 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.0.calc.exe.320000.1.unpackSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x158e:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
0.0.calc.exe.320000.0.unpackSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x158e:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
0.0.calc.exe.320000.2.unpackSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x158e:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc
0.2.calc.exe.320000.0.unpackSUSP_Encoded_Discord_Attachment_Oct21_1Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN)Florian Roth
  • 0x158e:$enc_r01: stnemhcatta/moc.ppadrocsid.ndc

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: calc.exeAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: calc.exeVirustotal: Detection: 54%Perma Link
Source: calc.exeReversingLabs: Detection: 26%
Machine Learning detection for sampleShow sources
Source: calc.exeJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: calc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.260801117.0000000002F4D000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb& source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb2 source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbh source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: rasadhlp.pdb~ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3Rm source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbHL source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb:0 source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb= source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.260801117.0000000002F4D000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: kDC:\Users\user\Desktop\calc.pdb source: calc.exe, 00000000.00000000.252775219.00000000006F8000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: winhttp.pdbZ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.pdbMZ@ source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbd source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbG source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.260565634.0000000002F42000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdbV source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.pdb source: calc.exe, 00000000.00000000.254647015.0000000002729000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb* source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: C:\Users\jpint\OneDrive\Desktop\BuilderBot\BuilderBot\bin\Release\stub\un_priv\DarkEdition\obj\Release\calc.pdb source: calc.exe
Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.260585475.0000000002F53000.00000004.00000001.sdmp
Source: Binary string: calc.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbh source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp

Networking:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Users\user\Desktop\calc.exeDomain query: cdn.discordapp.com
Source: C:\Users\user\Desktop\calc.exeNetwork Connect: 162.159.135.233 443Jump to behavior
Source: global trafficHTTP traffic detected: GET /attachments/897402450376536075/897465559711633408/8NMrqq.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /attachments/897223707649515602/897228595318124554/ascii_ART.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.com
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 28 Oct 2021 02:56:06 GMTContent-Type: application/xml; charset=UTF-8Content-Length: 223Connection: closeCF-Ray: 6a50e397b8ab1756-FRACache-Control: private, max-age=0Expires: Thu, 28 Oct 2021 02:56:06 GMTVary: Accept-EncodingCF-Cache-Status: MISSAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"X-GUploader-UploadID: ADPycdso1L-ylGX3bmenRtNOQmdon87QxmC7cXUyPENI7fDPUtJpk_9x5Bbi4ZgqkkYUdWdLYHwGtl2nhQu3WyOEx-8lP-t6kAX-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=X0aOWmo3%2Bd2J5p5kYEmgATNoxtwSQamhuDwF0HfeVv3A%2FULL0goDlzj8myWfYgoN8Wz%2BTegRCRL%2FE6v2%2BH8q99WsdaRWi95pVvtRlzG%2F%2B%2BEfjTXgU25DZRc%2Botur%2FhsNBmyD9A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflare
Source: calc.exe, 00000000.00000002.293292330.0000000002691000.00000004.00000001.sdmpString found in binary or memory: http://cdn.discordapp.com
Source: WerFault.exe, 00000005.00000003.289499864.0000000004EDB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
Source: calc.exe, 00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
Source: WerFault.exe, 00000005.00000003.265173725.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.d
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.di
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.dis
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.disc
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.disco
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discor
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discord
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discorda
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordap
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.c
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.co
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/a
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/at
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/att
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/atta
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attac
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attach
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachm
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachme
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachmen
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachment
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/8
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/89
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/8972
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/89722
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/8972237
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/89722370
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/8972237076
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/89722370764
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/8972237076495
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/89722370764951
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/8972237076495156
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/89722370764951560
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953181
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531812
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/8972285953181245
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/89722859531812455
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/a
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/as
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/asc
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/asci
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_A
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_AR
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.t
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.tx
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897223707649515602/897228595318124554/ascii_ART.txt
Source: calc.exe, 00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/897402450376536075/897465559711633408/8NMrqq.txt
Source: calc.exe, 00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com4
Source: calc.exe, 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.comD8
Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
Source: global trafficHTTP traffic detected: GET /attachments/897402450376536075/897465559711633408/8NMrqq.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /attachments/897223707649515602/897228595318124554/ascii_ART.txt HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)Host: cdn.discordapp.com
Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.5:49706 version: TLS 1.2

System Summary:

barindex
Found detection on Joe Sandbox Cloud Basic with higher scoreShow sources
Source: calc.exeJoe Sandbox Cloud Basic: Detection: malicious Score: 72Perma Link
Source: calc.exe, type: SAMPLEMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.320000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.320000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.0.calc.exe.320000.2.unpack, type: UNPACKEDPEMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 0.2.calc.exe.320000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.252642988.0000000000322000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.291985012.0000000000322000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.245005606.0000000000322000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.253313788.00000000026D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.293201383.0000000002677000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.254525892.0000000002677000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.254621493.00000000026D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000002.293367777.00000000026D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.253884839.0000000000322000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: 00000000.00000000.253255248.0000000002677000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: calc.exe PID: 2952, type: MEMORYSTRMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: Process Memory Space: WerFault.exe PID: 5944, type: MEMORYSTRMatched rule: SUSP_Encoded_Discord_Attachment_Oct21_1 date = 2021-10-12, author = Florian Roth, description = Detects suspicious encoded URL to a Discord attachment (often used for malware hosting on a legitimate FQDN), reference = Internal Research, score =
Source: C:\Users\user\Desktop\calc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 2104
Source: calc.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: calc.exeVirustotal: Detection: 54%
Source: calc.exeReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\calc.exeFile read: C:\Users\user\Desktop\calc.exeJump to behavior
Source: calc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\calc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\calc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\calc.exe 'C:\Users\user\Desktop\calc.exe'
Source: C:\Users\user\Desktop\calc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\calc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 2104
Source: C:\Users\user\Desktop\calc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3100:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2952
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2DC6.tmpJump to behavior
Source: classification engineClassification label: mal80.evad.winEXE@3/7@1/2
Source: C:\Users\user\Desktop\calc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\calc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\calc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: calc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: calc.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: calc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.260801117.0000000002F4D000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: rtutils.pdb& source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb2 source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: clr.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb4 source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: schannel.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdbh source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: rasadhlp.pdb~ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbT3Rm source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.pdbHL source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb:0 source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb= source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: gpapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: wsspicli.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: ole32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000005.00000003.260801117.0000000002F4D000.00000004.00000001.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: kDC:\Users\user\Desktop\calc.pdb source: calc.exe, 00000000.00000000.252775219.00000000006F8000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: System.Xml.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdbRSDSD source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: winhttp.pdbZ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: diasymreader.pdb_ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.pdbMZ@ source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: mscoreei.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: winnsi.pdbd source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbG source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: shell32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rasapi32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdbb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: diasymreader.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: rtutils.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000005.00000003.260565634.0000000002F42000.00000004.00000001.sdmp
Source: Binary string: wmswsock.pdbV source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: System.Core.ni.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp
Source: Binary string: System.ni.pdbRSDS source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: clrjit.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: rasman.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb> source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Xml.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.pdb source: calc.exe, 00000000.00000000.254647015.0000000002729000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.267702128.0000000005460000.00000004.00000040.sdmp
Source: Binary string: psapi.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: ntasn1.pdb* source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: C:\Users\jpint\OneDrive\Desktop\BuilderBot\BuilderBot\bin\Release\stub\un_priv\DarkEdition\obj\Release\calc.pdb source: calc.exe
Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000005.00000002.291489220.0000000005750000.00000004.00000001.sdmp
Source: Binary string: mscoreei.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000005.00000003.260585475.0000000002F53000.00000004.00000001.sdmp
Source: Binary string: calc.pdb source: WerFault.exe, 00000005.00000003.267591215.0000000005491000.00000004.00000001.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: combase.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000005.00000003.267521490.000000000546A000.00000004.00000040.sdmp
Source: Binary string: System.Core.pdbh source: WER2DC6.tmp.dmp.5.dr
Source: Binary string: System.ni.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp, WER2DC6.tmp.dmp.5.dr
Source: Binary string: cryptbase.pdbk source: WerFault.exe, 00000005.00000003.267503853.0000000005462000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp
Source: Binary string: msasn1.pdb@ source: WerFault.exe, 00000005.00000003.267465154.000000000546E000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpackerShow sources
Source: calc.exe, DarkEdition/signature.cs.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.320000.1.unpack, DarkEdition/signature.cs.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.320000.0.unpack, DarkEdition/signature.cs.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.calc.exe.320000.0.unpack, DarkEdition/signature.cs.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.calc.exe.320000.2.unpack, DarkEdition/signature.cs.Net Code: revert System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: calc.exeStatic PE information: 0xFB362630 [Mon Jul 23 10:32:16 2103 UTC]
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\calc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.5.drBinary or memory string: VMware
Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: WerFault.exe, 00000005.00000002.291345050.0000000004F73000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWX
Source: Amcache.hve.5.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.drBinary or memory string: VMware7,1
Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000005.00000002.291282032.0000000004EB9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.me
Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.5.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000